Jaime Chanaga: Man in the Middle

The tension can also be felt just outside of town, where Geisinger Medical Center sits on a hill overlooking the rolling countrysidea sprawling, big-city hospital and modern research center plunked down in small-town America. Almost 90 years after its 1915 founding, more people work and receive care at the Medical Center most days than reside in Danville. And Geisinger’s modern-day stewards, such as CISO Jaime Chanaga, are trying to remain true to the charge laid down by founder Abigail Geisinger to make her hospital “the best.”

The hospital is eight years into a $68 million-plus effort to deploy a state-of-the-art electronic medical records (EMR) system that has streamlined patient care within the hospital and outpatient services at Geisinger’s 15 clinics in 38 Pennsylvania counties. Recently, the hospital has also moved aggressively to deploy a host of Web-based medical services for patients and staffincluding a patient portal for accessing online medical records called MyGeisinger.

However, behind the scenes, the move to electronic medical records and medical Web services has heaped new demands on Chanaga’s information technology security staff. Chanaga and his staff face the daunting and sometimes contradictory tasks of trying to increase staff and patient access to medical information, and staying on top of the latest advances in medical devices, while also formalizing security policies and adhering to regulatory requirements for more than 400 medical and administrative applications, almost one-third of which are mission critical.

Offering the perspective of a man who’s barreling down a road that most people are still trying to merge onto, Chanaga has found that the secret to managing IT security in a Web services-dominated world is knowing you don’t have all the answers. Instead, Chanaga and his staff at Geisinger have found success by sharing responsibility and by striking a balance between customer needs and corporate goals.Digital Case FilesA visit to Geisinger’s data center, a sturdy, two-story, cement building at the rear of the Danville campus, underscores the challenges facing IT security staffs who work in a medical environment.

Clean-cut and dressed in a double-breasted suit, Chanaga gestures to rows of racks filled with computer hardware. Above each rack, a simple, white placard identifies systems that host countless specialized medical and administrative applications: “Blood Bank,” “Dietary,” “EPIC Care,” “MyChart Web Server,” “PACS Stentor,” “Wisdom Case Management” and so on.

Those applications include EMR systems that are used by the Medical Center and by Geisinger physicians working in rural clinics; appointment scheduling software; and radiology applications: tools that Geisinger and other hospitals are using to improve patient care.

Radiologists, for example, would often spend an hour of each day looking for patient X-rays. Now 75 percent of all the hospital’s radiology images are online and accessible from computer terminals spread throughout the hospital and at far-flung outpatient clinics, says Dr. Jim Walker, Geisinger’s chief medical information officer.

For IT security staff, however, the plethora of specialized medical applications and devices and the legitimate need to share data that’s stored in those applications among clinical staff, patients and even those outside the Geisinger network make security a vexing problem.

“This is a very diverse environment. So, the question is: How do you wrap security around all of this?” Chanaga says.

A growing number of hospitals are asking the same question as they turn to the Internet and Web-based services to integrate information from different medical data stores on their networks and struggle to breathe new life into aging legacy applications, says Joe Poats, a vice president and health technology expert at Capgemini.

Geisinger’s extensive use of Web services probably puts it in the top 25 percent of hospitals nationwide. But even organizations that don’t have or can’t afford extensive EMR systems and electronic physician order entry (POE) technology are introducing Web-based services that give patients and staff a look at data from back-end systems.

“For a lot of hospitals, Web services provides the tools to do something relatively quickly with data that’s already there,” Poats says.

Similar to other companies inside and outside of the health-care field, Geisinger uses an array of security products and services to lock down sensitive data and patient health information. Firewalls, intrusion detection systems (IDS), antivirus software and system access audit trails protect sensitive data servers such as the patient information stored in the Epic electronic medical records system. Geisinger also uses Web access management software and RSA SecurID tokens so that physicians can log in securely to the special Web portal: Geisinger@Home. Managed vulnerability scanning services search for security holes in products on the network perimeter and on its internal network and systems.

Still, technology is only one aspect of security at organizations such as Geisinger, and often not the most important part, Poats says.

“The biggest hurdle we see clients have is realizing benefits from their investment in technology. It’s not just creating passwords. Security has to be integrated with workflow, with middleware applications and everything else,” he says.

Chanaga agrees. “Most people think of information security from the technology perspective, that it’s about the controls and audits that you layer on top of things,” he says. “We’ve come on and said, Information security is not strictly about IT security.”

Instead, Chanaga and his staff work with the doctors, nurses and analysts who support the disparate clinical areas at Geisinger to raise awareness of information security and mitigate risk by implementing the appropriate processesnot just the proper technology.Privacy Versus ConvenienceThe hospital’s MyGeisinger Web-based patient portal is a good example of balancing the latest in medical information delivery with a sensitivity to privacy and security. Developed by IT staff at Geisinger and launched in 2001, the portal includes a link to an Epic feature called MyChart that gives Geisinger patients online access to many parts of their medical records. Patients can also use secure e-mail to communicate with any of the physicians who have seen them, says Joan Topper, director of e-Health at Geisinger.

The system is secure; firewalls and 128-bit Secure Sockets Layer (SSL) encryption protect both external access from the Internet to the MyGeisinger Web server, and from the Web server to Geisinger’s Epic databases, Chanaga says. But it’s hardly convenient. Out of concern for patient confidentiality, Geisinger required participants to sign up for the service in person at their physician’s office or another hospital facility where staff could verify their identity. Enrollment grew slowly in the first two years from around 3,000 to 10,000 patients, just a small percentage of the 300,000 patients that Geisinger serves.

In response, Chanaga and his team worked with clinicians, IT staff, the marketing team and Geisinger’s Internal Audit department at the hospital to develop policies and enrollment features that struck a balance between security and convenience.

Patients can now request a MyGeisinger account online, through the Web portal, but they still don’t get immediate access to the electronic health records. The hospital follows online account requests with a letter to the patient’s home that contains further instructions and requires information only the patient would know, such as the date of their last office visit, Chanaga says.

The new online registration optionintroduced and promoted internally in Aprilwas immediately popular. The hospital added 600 new enrollees three days after it was deployed. Geisinger plans to market the new enrollment feature to all its patients and expects to have more than 80,000 MyChart users by the end of their 2004 fiscal year, says George Woodward, a hospital spokesman.Getting HIPAAMoving to a Web-based service model creates efficiencies in patient-doctor communications, but it demands that hospitals be mindful of patient privacy, especially in light of the 1996 federal Health Insurance Portability and Accountability Act (HIPAA), says John Halamka, CSO of CareGroup in Boston.

The law, some elements of which are still being implemented, mandates that hospitals not only provide patients with access to their medical records, but that they implement privacy and information security measures to protect that data, says Lawrence Hughes, regulatory counsel at the American Hospital Association (AHA).

In recent years, Halamka and his staff designed and deployed a Web-based portal that gives CareGroup patients access to their entire electronic medical record, and allows them to renew prescriptions and obtain referrals. Now used by 25,000 of the group’s 1 million patients, the system uses Microsoft’s .NET technology platform and simple object access protocol (SOAP) middleware to pull patient data from a back-end system running the Unix OS.

CareGroup developers integrated data from 14 different departmental databases, using Microsoft’s .NET platform along with extensible markup language (XML) to render patient information, and SOAP to manage communications between back-end systems running Unix and Web-based front-end systems. The CareGroup staff created complex access controls based on the role of the user (doctor, nurse, medical assistant and so on). They also created a set of policies that defined how the system would treat sensitive information versus nonurgent issues. For example, patients were told not to use the system for serious complaints such as chest pain.

“From the security side, you have to look at all the HIPAA regulations and ask yourself, Have we taken care of all the required and addressable HIPAA issues as part of the architecture?” Halamka says. CareGroup’s developers took extra steps when creating secure messaging features for e-mails sent between doctors and their patients. They use a Web-based secure messaging system (hosted by their own data center) that uses HTTP over Secure Socket Layer for all exchanges between physician and patient to reduce the chance that patient data would be sent to the wrong recipient, Halamka says.

“HIPAA’s not just a technical issue,” says the AHA’s Hughes. “It stretches across the board, affecting both policies and procedures.” At Geisinger, Chanaga’s group works with clinical and IT staffs and the Internal Audit Department to develop policies that balance patients’ demands for online access with HIPAA’s mandate to protect patient health information, says Dr. Walker.

For example, when it came to building features that allow patients to view lab results online, Geisinger built in controls that require the patient’s physician to review the results before allowing them to be accessed online. Lab tests that reveal new diagnoses or require complicated explanations are not released online until the patient has been called or had an appointment to learn the results.

Similar groundwork was needed to launch GeisingerConnect, a Web-based service that went live in 2002 and connects about 500 users at more than 100 non-Geisinger doctors’ offices to electronic patient records in Geisinger’s system, Chanaga says. With that service, Geisinger wanted to find a way to give nonaffiliated physicians who referred their patients to Geisinger specialists access to patient health information, without allowing them inside the hospital’s network or throwing open the doors to the hospital’s “crown jewels”: its patient information databases, he says.

In setting up this system, Geisinger’s IT staff and clinicians devised a “shadow” EMR service for nonaffiliated physicians. The service was deployed in a “demilitarized zone,” between Geisinger’s network and the Internet. Patient data is updated on the system continually, giving primary care physicians access to lab results, tests and notes by Geisinger specialists. And primary care physicians can view it using any Internet-connected PC with a Web browser equipped with 128-bit encryption and end-user authentication.

Data in the system cannot be modified, and unaffiliated physicians cannot connect to Geisinger’s production databases, where data could be tampered with or destroyed, Chanaga says.

For Chanaga, getting the security right for GeisingerConnect is just one way that his organization is helping to ensure the success of the service and turning IT security from a “cost center” to a “business enabler.” The service may help the hospital’s bottom line by encouraging nonaffiliated physicians to refer patients to Geisinger specialists, says Sean Duffy, one of four physician liaisons Geisinger hired to travel to doctors’ offices and promote GeisingerConnect. “This gives [doctors] an incentive to send patients to Geisinger,” he says.

In an increasingly competitive medical marketplace, those kinds of incentives and the efficiencies created by technology can help attract patients and customers, agrees Capgemini’s Poats. “There’s a tremendous upside to these servicesand it’s not just financial.”Technology Rat RaceStill, challenges remain for health-care organizations like Geisinger that are spending heavily on technology to comply with federal ruleseven as they face declining reimbursements from government and health insurance companies, says Hughes.

“My biggest challenge is just keeping up with the pace of medical research and advances in medical technology,” Chanaga says, including new technologies emerging on a weekly basis. He says he reaches out to vendors whose products are used by Geisinger doctors, explaining the hospital’s security policies and regulatory requirements. In one case, that meant determining if a new producta device that transmits data about pacemaker patients to care providers by phoneprovided any identifiable patient information (a privacy problem).

In other areas, though, the guidelines are less prescriptive and harder to follow, Chanaga says. For example, the final HIPAA rulegoverning standards for IT securityis scheduled to take effect in April 2005. The rule calls for audit trails for system activities, but doesn’t say what kinds of network and system activity need to be logged and audited, creating some disagreements among device and software vendors, and the hospital’s administration.

Geisinger CIO Frank Richards says that HIPAA may have been the motivation to start thinking about security eight years ago, but it is just a small piece of a much larger puzzle now. “HIPAA didn’t force us to do anything that wasn’t a good practice in the first place,” Richards says. “Any facility that thinks, But for HIPAA, we wouldn’t have a privacy issue, well, I don’t want to go to that place for care.”

With doctors evaluating mobile devices such as tablet PCs at the Medical Center, wireless security is sure to be a hot topic in coming years, Richards says. Geisinger has already deployed wireless network hot spots in a few locations. The hospital forces staff to authenticate and use encryption to enable wireless links, and forbids the use of Bluetooth wireless devices on campus, Chanaga says.

It’s a complex challenge, Chanaga allows, and one for which neither he nor his team has all the answers. But having all the answers isn’t necessarily a requirement. Chanaga sees his team as an “integrated IT and security delivery system.” They take feedback from the clinical community, and get buy-in from doctors and nurses on the front line. And they work with IT and internal auditors.

In health care, he says, “It’s all about balance. At the end of the day, people respect that it’s our responsibility to get things done.”