1 About Myself HUKM Background HUKM Background

About Myself
Policies &
Standards
of HIS
Group 7 : Standards and Integration
Dr Azmi Mohd Tamil
Dr Badrulhisham Bahadzor
En Zainal Abd Ghani
• Medical doctor with a Masters in Public
Health (BMedSc, MD(UKM), MPH(UKM))
• Born before the age of IT. Grew up
before the age of Internet.
• No IT qualification whatsoever
• To me an ORACLE is someone who
foretells the future, Java is an island in
Indonesia and ASP is something that
slithers and stings (egyptian cobra).
HL7 is HUKM Level 7.
HUKM Background
• Teaching hospital for undergraduate
(Medical & Nursing ~1000) &
postgraduate students~800
• Secondary and tertiary care-referral
centre
• Medical research
• Services
HUKM Background -cont.
• Started from Faculty of Medicine in Mei
1972, we use HKL as our teaching
hospital.
• Initiative to have our own teaching
hospital in early 1990.
• HUKM operation started in 1st Jul 1997
and officiated by YAB Tun Dr. Mahathir
in 1998.
HUKM Background -cont.
•
•
•
•
1050 bed
21 OT
10 Specialist clinic
Other hi-tech facility: *Magnetic Resonance
Imaging (MRI) *C.T. Scan *Fluroskopi
*Angiografi *Ultra Sound *Intravenous
Urogram *Mammografi *Kamera Gamma
*Linear Accelerator *Cobalt 60 *Perubatan
Nuklear *Kolam Hidroterapi
• Staff ~3000
Uniqueness of HUKM
1.
2.
3.
4.
5.
6.
Teaching hospital
Research hospital
Tertiary referral center hospital
Established hospital
Implement Case-mix
Partial implementation of information
system (manual + Computer-based)
1
Outpatient’s Statistic
Inpatient’s Statistic
400000
280967
300000
363547
346344
335323
350000
40000
301393
35000
30000
239473
250000
200000
150000
35348
35596
36536
2000
2002
2003
2004
22208
25000
20000
174098
34677 35469
29439
15000
100000
10000
49208
50000
0
1997
1998
1999
2000
2001
2002
2003
2004
5000
0
2517
1997
1998
A & E Walk-in Patient’s Statistic
70000
60000
51756
54072
60902
2002
2003
63969
54462
36888
30000
20000
2992
10000
0
1997
1998
1999
2000
2001
2001
Current Running System
61533
50000
40000
1999
2004
1.
2.
3.
4.
5.
6.
Core HIS
Pharmacy Information System
Radiology Information System
Laboratory Information System
Order Management System
Picture Archiving and Communication
System
7. Primary Care Information System
8. Financial & HR System
CURRENT STATUS OF INFORMATION SYSTEM IN HUKM
Pharmacy
-PMS
-Teliti/IPS
-IBM e-series/Win2000
(manual clustering)
-Database=Oracle 8
-70 license
-Approx. 350 users
-site: Clinical block
Laboratory
-ILMS
-ANSI/IMS
-Database =Oracle 8
70 licence
-140 users
-site: Clinical and
Academic blocks
Radiology
-IRIS
-ANSI/IMS
-SUN E3500/Solaris
-Database =Oracle 8
70 licence
-Approx. 10 users
-site: Clinical and
Academic blocks
PACS
ANSI/MEDWEB
-SUN/Linux
-Database
=Postgres
-site: Radiology
Dept
HIS
-InfoMED
-Mesiniaga
-Risc 6000/AIX 4.3
-Database-Informix 7.2
-70 licence
-Approx. 150 users
-site: Clinical and
Academic blocks
HIS-HUKM Project
HUKM Network Backbone
HUKM
Network
server
HUKM FP
Webpage
&
Library
server
HUKM
eMail
server
Workstations
-wards
-clinics
-Medical
Records
-Others dept
Integrated
Security
System
HUKM clinical information system network (H.I.S)
Flow of data two-way
HUKM non-clinical information system network
Flow of data one-way
2
Objectives of HUKM hospital
information systems
HIS plan
• Replace Core HIS with our own Core HIS
• Replace OMS with our own Computerized
Physician Order Entry (CPOE) System
• To Maintain other existing system:
! Pharmacy Information System
! Laboratory Information System
! Radiology Information System
• To improve efficiency of hospital operation
• To improve quality of medical care
• To enable data and information sharing
between healthcare providers
• To support case-mix system
• To support research and education in medical
informatics
• To support implementation of MyHealth
project by the Ministry of Health, Malaysia.
HIS plan -cont
HUKM HIS Project
• Integration Core HIS + Computerized
Physician Order Entry (CPOE) with
current running system using HL7
• Additional System
• Started in 2004
• We will deliver phase 1(Pt Registration,
ADT, OT Scheduling, Appointment &
Patient Accounting & Billing) & phase 2
(CPOE & Integration) by mid next year
• Good support from management &
user (+clinician)
• The team comprises of >60 peoples
! Electronic
medical record
module
! Case-based learning module
! Research
New proposed HIS Structure
Financial System
Human Resource
System
Research
Module
Core HIS &
Order entry
(CPOE)
Clinical
Information
System /
Electronic
Medical Record
Core HIS
HL7
Integration
Medical
Education
Module
HL7
Clinical
Information
System Primary
Care Clinic
Bandar Tasik
Selatan
Order Entry
HL7
Communication
Server
(HL7)
HL7
Pharmacy
Information
System
Radiology
Information
System
Laboratory
Information
System
Physiotherapy
Service
Dietetic
Service
Nursing
Care
PACS
DICOM
HL7
PACS
Existing Dept.
HL7
HL7
Procedure
Radiology
Information System
Laboratory
Information System
Pharmacy
Information System
New System
Existing System
3
SYSTEM ARCHITECTURE (OVERVIEW)
System Integration Phase 2
JARING
KCKL (2 MB)
BANGI
(4 MB)
FW
R
FW
HUKM
(Secured
BTS
1.
13
segmen
Segment)
KCKL (2 MB)
NAT
R
(Public)
DNS 1
FW
DNS 2
BANGI
(2 MB)
BTS
2.
(128 KB)
(128 KB)
HIS 1
HIS 2
brocade
HIS 3
brocade
Core HIS &
Order entry
(Oracle)
Dicadangkan:-
R
MEDIPRO
ILMS/IRIS
brocade
Secondary DNS
diwujudkan.
4.
Internal firewall
diwujudkan
seperti dirajah.
brocade
Sql Net
Gateway 1
Gateway 2
HL7
HL7
HL7
Firewall perlu
di’upgrade’.
3.
PACS
Sql Net
Kaji semula dari
segi switch dan
routing bagi
rangkaian
(network) di
HUKM
HL7
Sql Net
Sql Net
PACS
(Postgres)
DICOM
IRIS/
ILMS
(Oracle)
Sql Net
Sql Net
Medipro
(Oracle)
HL7
SAN
Gateway 3
SAN
SKU
(Informix)
DICOM
SMK
(Informix)
Modalities
(Scanning)
Integration Agent
Objectives
• Core HIS must comply to National or
International standards
• Core HIS must be HL7 compliant
1. Standards
Standards
•
•
•
•
•
Comply with Ministry of Health and/or
ISO/ANSI standard
Will be implemented for both final diagnosis
& procedures (medical, lab, radiology &
others)
For final diagnosis - ICD-10
For procedural – ICD-9CM
Generic – new coding standards can be
implemented by the use of data mapping
Standard & Disease Coding
•
•
•
•
•
•
ICD 10 (Diagnosis Standard & Coding)
ICD 9 CM (Procedure standard & Coding)
MAMPU (Demographic data)
SNOMED CT / Read Code (Clinical coding)
Drugs (MDC)
Security
!
!
Data Protection Act
HIPAA 1996 (Health Insurance Portability and
Accountability Act)
• Data & Messaging
!
!
Health Level 7 (Health application integration
standard)
DICOMM (Medical image coding)
4
Non-functional requirements
MyKad (GMPC)
• My = Malaysia
• KAD = Kad Akaun Diri
• “Standard credit card-sized device with
embedded microchip”
• terdiri dari
• Comply with required standard (HL7,
ICD10, ICD9CM, SNOMED, HIPAA etc)
• Comply with MOH data dictionary
version 1.1
• Support MyKad & MyKid
implementation (read & write)
• Etc.
kad pengenalan,
lesen kereta,
! maklumat imigresen - paspot
! maklumat kesihatan
! e-cash & public key
!
!
Diagnosis : ICD-10
Data Diagram
ICD-9CM Data Diagram
Procedures
Discharges
Wad
A/E
Ward
Discharge
Diagnosis
written in full
text by Doctor
Case Mix
Coder interpret
full text into
ICD10 code
Clinic
OT
A/E
Procedure Ordered
by Doctor
- listed procedure
- non listed
procedure
Case Mix
Coder interpret
full text into
ICD-9CM code
Others
Requirements : Standards
• WHO ICD-10 Reference Code (USD
700)
• WHO ICD-10PCS Reference Code (3M
Corp)
• ICD-9CM Reference Code (US National
Center for Health Statistics-NCHC)
STANDARD IN
Confidentiality &
Security
5
Standards - Security
Standards - Security
• Objectives
•
To ensure the integrity and
confidentiality of the information
! To protect against reasonably
anticipated
o
o
!
2.
3.
o
3.
Operating systems
4. PC based software
5.
6.
Network access - from outside world
Network access - from within LAN
7. User awareness
8. Denial of service
9. E-mail/web servers
Authentication, authorization, secured
communication, encryption
Auditing
Security level, cost & user friendly
Security level
User friendly
100%
cost
Security level vs cost
Security level
User friendly vs Security level
•100% security level is very difficult to achieve
•User friendly is normally inversely proportional to security level
Security Issues
1. Data storage
2. Personal/private data
Data centers, servers, workstations
etc
Software
o
Basic Security Approach
Policy making
Physical Safeguard
o
To ensure compliance with this part by
the officers and employees of such
person
(1) Identify what we are trying to protect.
(2) Determine what we are trying to protect it
from.
(3) Determine how likely the threats are.
(4) Implement measures which will protect our
assets in a cost-effective manner.
(5) Review the process continuously and make
improvements each time a weakness is found.
Administrative
o
threats or hazards to the security or
integrity of the information
unauthorized uses or disclosures of the
information
• Basic Approach as outlined in site security
(RFC2196)
Divisions
1.
!
Issue 1: Data storage
• Data corruption, hardware failure due to wear
and tear and mishandling
Periodical backup – properly indexed, backup
on different media
! Restore procedure has been fully tested
! Store backup tapes at different buildings as
necessary – reduce the fire risk
!
• Data on PC, notebook
!
!
Backup to other PC, CDROM, or diskette
Special server for personal data backup
6
Disaster Recovery Plan
Disaster Recovery
• Use of data backup software
• Use of data replication software
• Use of local strong room (incl. Fireproof
cabinet)
• If possible, store backups off-site (i.e. utilise
preset servers in Bangi, vice-versa)
• Duplicating data (mirroring) using 2 powerful
servers, one sited off-site
• “Hot-site” mirroring
Data Safekeeping
• Repositories. These are responsible for
holding data and other information assets
and preparing them for reuse.
Issue 2: Personal/private data
• Unauthorized access to file and printer sharing
!
file sharing in workgroup - designed to work only
within LAN in the same segment - not to pass through
router, but TCP/IP allow the sharing to cross LAN
• Close all unused sharing files and printer
!
using password for data protection
• Back door on PC
!
!
Never install unknown software
Check for open ports on PC
o
Using nmap to
scan for open
ports
i.e. using nmap to scan for open ports
Issue 3(i): Operating system
• Unauthorized access
• Sharing password
!
Delegation of job must use different id
o
o
!
Easier to audit the log file
Less the possibility the id/password be fallen to irresponsible
person
Different id and passwords for different servers
o
o
Different systems normally have different security measures
Never use the same id/password with other public domain
system
• Brute-force attack
!
Use combination of control characters
o The no. of possible password combination is NM
• N: no of password character, normally 8
• M: 10 for numbers only; 62 for alphanumeric, 92 for alphanumeric
and special characters
!
Change password regularly
7
Issue 3(ii): Operating systems
• Terminal emulation trick
Unsuspecting user will fall into trap resulting in the
recording of the login id and password
!
• Computer with root access, left open unattended
Logout immediately after finish working
!
• Loophole on OS
Patch known loopholes
!
o
o
o
o
o
o
o
Never open executable files. i.e. *.exe, *.vbs,
*.bat etc. no matter how inviting the name or
the purpose is
! Install anti-virus program on every PC
!
o
Subscribe to known CERT newsgroups
i.e. http://www.cert.org
http://www.securityfocus.com
http://www.advisormedia.com
http://www.windowsitsecurity.com
!
o
Monitor ports - which ports are open?
Key system must have OS with ‘hardened/armored’
kernel
!
User must update virus data regularly
Never trust anybody/site which is
o
Disable all unused services
!
Issue 4: PC based software
• Virus through e-mail attachment file
Unknown
Not expert at estimating the security risk
Install anti-virus program on e-mail server
Issue 5: Network access - from
NetLab output
outside world
• Hacker may use port scanning tools to find out any
weak point
!
i.e. LANguard Network Scanner, NetLab
• Install firewall
Security policy should be revised from time to time
Log files are continuously monitored
! Firewall will not stop hackers that use packet spoofing
!
!
• Use proxy server and private IP
Access speed may be sacrificed
Data access only from inside to outside
! Have multiple security zones
!
!
LANguard Network Scanner
Issue 6: Network access - fro
within L
• Port scanning to find out any weak points
!
Use network scanner/sniffer
• Record any unusual activities
• Complete database of user systems
!
Monitor any attempt to change identity
• Using several virtual LAN
!
Disable any unused UTP ports
• Illegal setup of servers that will provide remote access
!
!
Monitor all servers that provide remote access
All servers in the organization must be registered with
the IT authority
• Use of agent that enable PC be used/controlled remotely
!
Scan all PC for open ports that allow remote access
Issue 7: User awareness
• Keeping the password secret
• Leave password in the system
! Never allow the system to ‘remember our password’
! Change password from time to time
• Using the same password with other public domain server
! Use different password for different system/server
! Keep the list of password in secret place
• Using password found in dictionary
! Always use password with a mixture of alphabet (small and
capital), number and special characters
• Waste of bandwidth by receiving a video/audio streaming
transmission
! If possible stop UDP packets
! Awareness for the price of bandwidth in getting the services
• Educate the users
8
Issue 8: Denial of service
• Flood the network communication line with unwanted
packets
• Communication line is congested
Check the router setup
! Using good sniffer software check for the source of
the packets
• E-mail Issue
server
!
Inappropriate use of e-mail system
o
!
!
Server is waiting for syn/ack
! Server is not able to response to new request
! ‘disconnect’ the server from the source
! i.e. netstat –a
!
• Distributed DOS even more difficult to cope with
User leave unused e-mails in server – spool
directory full
Spam e-mail
o
• Server busy waiting for replies from unanswered
syn/tcp
9: E-mail/web Servers
Spammer send e-mail to other users via local
e-mail server
• Use the latest anti-relay sendmail deamon
• Web server
!
!
Intranet/Internet access
Website defacement
o
HTTP server or the OS have unpatched loop
hole(s)
• Patch any loop hole or replace it with a secured server
Security : Software Controls
System Implications
• Authorization control (who has access)
• Access privileges (what can they see)
!
!
Role-based, user-based accesses
Emergency access
• Authentication control (who they are)
!
Smartcard (ISS card), biometrics etc.
• Password controls (expiration, nonrepeating,
suspension)
• Audit controls
• Workstation timeout
• Automatic backup
Biometrics
Security
• Positively identify a person
• Determine a person’s authorization
• Securely communicate
• Track (audit) actions
Authentication
• Fingerprint
• Hand Geometry
• Facial Recognition
• Iris
• Voice Identity
9
Setting up of security alert group
• Responsibility
!
!
!
!
!
!
!
!
Setting up security policy and implementation plan
Educating the users on the security awareness
Getting support from the top management
Update all server with the latest patch of OS
Keep latest information on user system/server data
base in the LAN
Monitor OS, firewall and proxy log files for any
peculiarity
Review the IT security measure continuously and
make improvement from time to time
Security research group
Suggestions
• Access policy must be revised from time to time
!
i.e.depending on the new the new and function of data
servers and clients
• Never use systems straight out-of-the-box i.e. with
default configuration
• All the auditing programs must be properly activated
and the log files must be continuously monitored
• Educate users to appreciate the importance of IT
security
• IT personnel must keep up with new security exploits
and countermeasures
Use HL7 Messaging
Standard
2. Integration
Steps
1. Register with HL7 body
2. Basic HL7 training
3. Negotiation with vendors for
integration
4. HL7 product selection
5. HL7 product training
6. Software Development
Training - Basic
• Syllabus
HL7 Fundamentals
HL7 Ver 2.x Specifications
! Selected Chapters From HL7 Manual
! Examples of Integration
!
!
10
Training - Basic
• On Site Training
• Choices
Negotiation for integration
• System affected
!
Orion (New Zealand)
! Kestral (Australia)
! Neotool ( Canada)
!
!
ILMS/IRIS
Pharmacy
• Information required from vendors
HL7 Ready ?
Type of HL7 messages available ?
! Development effort – combined or
independent?
!
• Cost – minimum RM40,000 for 10
students, 2 day course
!
HL7 Tools
• To speed up the process of
integration, we use third party
software library.
• Messaging toolkit, choice of softwares
HL7 Product Training
• Done after HL7 vendor is selected
• Timing of training to coincide before
the acquisition of interface engine of
any system which is to be integrated
Orion Symphonia
Kestral HL7Connect
! Interfaceware Chameleon
! Neotool Toolkit
!
!
Suggestion: System Integration
Core HIS &
Order entry
(Oracle)
Sql Net
Client
User
Interface
Gant Chart
1.
Sql Net
HL7
2.
HL7
HL7
HL7
Sql Net
PACS
(Postgres)
DICOM
3.
4.
Sql Net
IRIS/
ILMS
(Oracle)
SKU
(Informix)
Medipro
(Oracle)
HL7
Dicom Worklist
DICOM
SMK
(Informix)
5.
6.
Modalities
(Scanning)
Register with HL7 body
- Done
Basic HL7 training
August 2004
Negotiation with vendors for integration
June 2005
HL7 product selection
- August 2005
HL7 product training
- September 2005
Software Development
- Jan 2006
-
Integration Agent
11
Summary
Thank you
• HUKM has implemented few
departmental system (standalone)
since 1997.
• We will replace few system esp Core
HIS with our own (Home-grown)
system in phases
• We adopt Health Level 7 for
Integration Standard
12