Build private roads behind the firewall to run Web-based applications, it’s an intranet; open a gate to run on the public thoroughfare and the roadway becomes an extranet. Sounds simple, but actual configurations are much more complex and sport an incredible number of permutations. Produced by the same technology that has brought us the mother of all network applications--the Internet--intranets and extranets guard the organization’s data doors, opening them as much or as little and to as few or as many as the organization chooses. How organizations define intranet and extranet networks--who can access internal information and how much--determines the final format.
Active intranet and extranet business models are now realities in many healthcare organizations. Currently, most address the basic problems of internal communications, information resources and marketing. The intranet is most often used for administrative and patient-related data access behind the relative security of a firewall; users outside the firewall access corporate information via an extranet configuration. Usually implemented first for physicians and staff in remote locations, extranets can also support access to a wider audience with patient-specific information or generic information. Quite new to the healthcare venue is the idea of marketing, but a review of hospital home pages reveals that competition among providers is fueling such a drive. According to IBM market research, about half of all hospitals in 100 of the leading U.S. population centers have an Internet presence.
Business networking communications are evolving: intranet vs. Internet/extranet are replacing LAN vs. WAN decisions. "The capability to have a common platform is a quantum leap in computing," says Gail Gulinson, vice president, health networking solutions, IBM’s Global Healthcare Industry, Waltham, Mass., but the technology options are numerous. When it comes to planning and implementing an intranet or extranet application, she says, "The most successful are those who have identified and understand the business problem and how an intranet/ extranet installation will add value to the equation."
Many healthcare organizations are already using electronic commerce for information management, supply ordering and supply chain management; now they are beginning to blend care issues with traditional business and financial issues. In the more fluid business environment where customers are voting with their feet, providers and payors alike are looking at ways to raise consumers’ levels of satisfaction. Many payor plans are adding customer services. In some, for instance, members can access disease management information with passcode-access as well as perform more mundane tasks such as updating personal information.
Extranet requires more security
While the intranet operates in relative security, the extranet brings new challenges, particularly for privacy and for security--major issues in installations. The combination of additional security layers and third-party devices usually brings more security to the table than ever was in place before the idea of Web-based access. "In most cases intranets are more secure than the current system. In addition to adding operating layers, intranets have audit trails--unknown in most traditional healthcare environments," notes Gulinson. Most businesses want to begin with a very basic, very modular and very scalable system and, although intranets are commonly built first in healthcare, she says, it isn’t long before the organization adds a front end to provide generic access to the Internet through the firewall.
As payors and providers look to the extranet phase of development, many see the extension as fairly noninvasive--where they can continue to operate in the same general patterns while adding value to their members. She points out that most extranets do not support data access at the patient-specific level--at least not initially. The VHA has begun an extranet project with IBM to link VHA’s 1,400 healthcare organizations with each other and with key partners that include physicians, insurers and suppliers. Although the VHA has announced plans to share best practices in patient care, this refers to categories and disease states--not patient-specific information.
In a time when Internet access and data overload can result in not just conflicting, but sometimes erroneous information, many healthcare organizations are responding with "branded" information, that is, information that carries the hospital’s seal of approval. "Content is king," says Teresa Choi, manager of the Virtual Hospital project and the Electric Differential laboratory at The University of Iowa Hospitals and Clinics Virtual Hospital, Iowa City, Iowa, regarding the philosophy of quality information. Patients seem to agree. The Virtual Hospital draws information seekers not only from its regional pool, but visitors from all corners of the globe. According to Choi, more than 50 percent of people accessing the site are looking for patient information; the remainder are seeking information on healthcare providers.
Integrity in demand
As consumer empowerment grows, the demand for information with integrity grows. Several recent studies show that the fastest growing segment of the population using the Internet is the group over age 55. To the healthcare organization, this is opportunity knocking--this group represents the high-cost consumers. Not the silent, retiring elderly, they are active information seekers often with the greatest needs for health and medical information. Allina Health Village’s extranet is targeting just that age group with customized member information. Gulinson suggests that other organizations might consider interactive outreach services such as physician-moderated online chat groups as extranet applications.
Security may not be an issue for educational material, but when the question of information access is to patient data, it’s quite another story. Acknowledgment of reported cases of abuse and the recognition of even greater potential abuses have prompted the federal government to not only address the issue, but to adopt new regulations in February 1998 under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Privacy and security issues escalate as the access ring widens through intranet and extranet access.
The network installation at Carondelet Health, Kansas City, Mo., was planned to provide controlled and secure access to patient data on the legacy healthcare information system for the medical staff from the facility or from a remote location. Dan Moffatt, vice president and chief information officer, says the system, nine years in the making, has been possible only with the combination of the Internet and Carondelet’s online records. "The Internet as a vehicle for access to patient data is laying the foundation to the future," he says.
After investigating the use of frame relay and ATM technologies--and finding costs prohibitive, Carondelet looked to its telecommunication provider for a possible solution. A collaborative effort with Sprint Healthcare Systems, Inc., resulted in what Sprint terms a virtual private network (VPN), differentiating it from an intranet because of its authentication and encryption security features.
For Carondelet, security was the most important issue in the implementation, says Chuck Bowen, vice president and general manager for Sprint Healthcare Systems, Inc. Now that the system is in use, Moffatt is pleased with IntraMed’s encryption capabilities and says that although it adds difficulty layers for the user, it works flawlessly to give physicians ubiquitous access, whether they are in the office or at home. One physician conducts what he calls electronic rounds throughout the course of the day when he checks on his hospitalized patients in unplanned time gaps. A side benefit--not originally intended for the first stage of implementation--has been to hospital executives who are also taking advantage of the remote access capabilities.
In the wake of vendors such as Lawson Software, Minneapolis, who were one of the first vendors to bring a product line built on Web technology to market, several healthcare information system vendors are actively developing Web-based software applications.
Some applications, particularly human resources systems, are well developed and in general release. In healthcare, much of the leading-edge work is still being done at academic institutions, but healthcare vendors have not been idle.
One of the first to publicly proclaim capabilities for the technology was Compucare, Reston, Va., who announced a prototype at the Healthcare Information and Management Systems Society (HIMSS) show in March 1996. Although that company’s intranet application is still in beta, Graham Joyce, product manager, believes Clinician Access is the first Web-enabled clinical application up and running.
Healthcare’s roads on the Web are growing at a phenomenal rate, but it has become such a phenomenon that software vendors must address the issue to maintain credibility--either by announcing a Web-based product or having one in development. Some creative marketing efforts are using the similarities of the Web-based thin client/Web server with the mainframe/dumb terminal system to advertise a "thin client model very similar to the Web." Not quite.
Intranets and extranets clearly have possibilities for both the clinical and the financial side of the business--they also create challenges. Creativity, IS know-how and budgets can be accelerators or road bumps, but in the end, the challenges are in pulling it all together for the competitive edge, be that for clinical or financial advantages.
CASE IN POINT
The University of Iowa Hospitals and Clinics
Transforming its legacy information network Online Retrieval & Medical Management System (INFORMM) to a Web-based patient record server, The University of Iowa Hospitals and Clinics (UIHC) in Iowa City, Iowa, is opening the system while leveraging its technology investment. Developed over the past 20 years, the UIHC’s mainframe is a high volume system that hosts all administrative and patient data operations. Plans to build a computer-based patient record included the possibility of purchasing a commercial software package, says James Wagner, CIO, but study results indicated that internal development could not only bring sophistication to an already robust system, but would capitalize on the existing investment.
One challenge was to move the legacy system to an equipment platform that would support a graphical user interface. Tapping into the center’s wealth of information resources is the next step. From a performance standpoint, Wagner does not believe that all Web-based functions are well-suited to satisfy the high volume requirements for a medical center such as The University of Iowa at this time. Consequently, the center has concentrated Web development on providing information retrieval, particularly for users in remote locations. This hybrid method uses client/server applications running on PCs and Web-based applications using a standard browser to retrieve information. UIHC retained its central data repository, but developed new front ends with added functionality and access to other legacy applications.
Response to security issues
New federal guidelines are under way to tighten privacy issues surrounding patient information, but Wager says UIHC has already been very aggressive on both privacy and security fronts. In addition to standard tiered security levels, UIHC security functions limit staff to specific functions on specific patient populations. Physicians have unrestricted access, but even that has come under some scrutiny. UIHC has responded by adding the capability to assign a population parameter with exemption access.
Wagner’s team has also dealt with another little-reported issue--the fact that many healthcare employees are reluctant to be seen at their own medical center because of the potential access by coworkers to their medical information. To deal with those issues, the IS department created another set of online functions where employees can call up their electronic medical record from a workstation and review the audit trail of all staff members who have reviewed the medical record.
For extranet data transmissions UIHC chose an Internet tool with encryption capabilities. Operative for over two years, it is used by remote users to access the facility’s information resources using secure identification cards.
"There is still a large component of staff who do not think that security is a problem," says Wagner. "They think that any precautions to protect confidentiality are roadblocks--another hurdle to go over before they can access the information." With the exception of some minor cases of inappropriate employee access, all of Wagner’s precautions have been proactive and there have been no serious breaches in security.
Charlene Marietti is senior technology writer at Healthcare Informatics.