BBI Contributing Editor

SAN DIEGO, California Many vendors use the annual conference and exhibition of the Healthcare Information and Management Systems Society (HIMSS; Chicago, Illinois) to showcase their latest security enhancements to each other and to hospital chief information officers in attendance. Add to that more than 600 vendors demonstrating products and technology enhancements and you have a show that can attract a mix of 19,000 healthcare providers, payors, vendors and others. The conference starts with vendor presentations on Sunday, which can be a great help for attendees trying to determine which booths and products they may want to see from the sea of booths and products on display.

Information technology is a growing part of the U.S. healthcare landscape, as the latest forecast for HC growth from Dorenfest & Associates (Chicago, Illinois) shows. While growth rates of 6% to 9% are not dramatic, in a context of contraction is many other healthcare segments, they look positive. Dorenfest's forecast for HIT growth is shown in Table 5 on page 91.

Several factors are driving this market:

Health Insurance Portability and Accountability Act (HIPAA) compliance and security infrastructure issues.

Computerized physician order entry and related activities to reduce adverse drug events.

Clinical information delivery at the point of care and the new wireless and hand-held technologies that are driving it.

Progress on PDA and PC Tablet platforms.

Informatics issues related to bioterrorism.

The Department of Defense has attended HIMSS every year since the first Gulf War, but this year it sent 140 personnel to demonstrate its IT systems to the additional 600 military personnel from various services who come to HIMSS to learn about new technologies.

Wireless networking was a hot issue in the annual HIMSS Leadership Survey and emerged as a top priority this year, jumping from 22% on the 2002 survey to 72% on the 2003 survey. Enhancing data security technologies also jumped by 17% to 55% in 2003, only surpassed by putting wireless infrastructure in place. XML was a distant third priority at 29%, but was nonetheless up from the 15% who indicated it as their priority in 2002. One thing that CIOs are not spending a lot of money on is training personnel to use new or existing systems, which fell in priority on the 2003 survey.

How all of these wireless computing platforms will move around the healthcare enterprise is another matter. The PDA-based platforms are small enough to be carried by healthcare providers themselves, but laptop PCs are another matter. These are becoming cart-based, push-around devices.

Tablets are testing the boundaries in between. Some are small and light enough to be carried around (about three pounds) but have limited, less than six-hour operating time on batteries. Others with a second (optional) battery pack offer 10 hours of operating time, but weigh in at least one pound heavier at between four and four-and-a-half pounds. It's unclear whether providers will carry these devices around, particularly busy nurses and doctors.

Two vendors vying to be the mobile platforms for such systems are Tremont Medical (Aston, Pennsylvania) and EMS Wireless (Norcross, Georgia). Tremont used the HIMSS gathering as the forum to announce its newest ROSY mobile cart. ROSY is a platform for cart-based PC and tablet systems. In addition to being well engineered and ergonomically flexible, it was one of a few carts that met point-of-care electrical safety (UL) requirements to operate at the patient's bedside. The extended-life battery (six hours) and rapid recharge system allow ROSY to provide extended service even when not plugged into the wall. Add integrated vital signs and wireless networking and you have a very flexible combination of monitoring and mobile computing platform for the subacute care setting. ROSY is distributed through Datavision (Warminster, Pennsylvania).

One limitation of ROSY compared to rival EMS Wireless is that EMS not only makes the cart, but also the WIFI-compatible wireless components, providing hospitals with one source supply and support for both the mechanical (cart) components and also the wireless networking components. The EMS Wireless carts meet all electrical safety requirements to be used at the patient's bedside, even in a critical care unit. (namely UL 2601). The EMS carts are well designed, have a low center of gravity to prevent tipping over and come with a variety of CPU and memory configurations.

We were surprised to find that several other vendors' products did not have similar safety certifications, raising questions about their viability in some clinical applications where they could be within reach of staff attending a patient. This may become more of an issue as such devices are more widely deployed to host the point-of-care computerized patient record hardware that is now being more widely implemented.

The mobile carts or wall-based computer housings were not the only wireless issues at HIMSS. A variety of new wireless networking product enhancements also were being shown. Symbol Technologies (Holtsville, New York) was showing its new Mobius components and Proxim (Sunnyvale, California), its Harmony and Tsumani products. Both of these suppliers are fighting an uphill battle against larger networking companies such as Cisco Systems (San Jose, California), Lucent Technologies (Murray Hill, New Jersey) and others, who are too big to be bothered with a show that represents only a $28 billion market, to place the core wireless infrastructure into the healthcare vertical market space. Not all vendors of mobile carts were at HIMSS. Stinger Industries' (Murfreesboro, Tennessee) Mobile TS is a product to look at for healthcare applications, in addition to products from Planar Systems (Beaverton, Oregon) and Datalux (Winchester, Virginia), both of whom were at the conference.

Wireless PDAs premiere

Symbol's new PPT 8800 was a slick PDA in an uncharacteristically stylish package that showed off its clear, colorful display well. Available with a variety of keyboard options, the 8800 can be custom-tailored to exact healthcare vertical market needs. Smaller than previous generations of Symbol embedded PDA devices, it still manages to pack in a laser bar code scanner and 802.11b WIFI transceiver all of which is powered by a Windows CE-based operating system running on an Intel X-Scale (PXA 250) processor. Its 32 Mbyte memory space should be adequate for many currently available medical applications and at 11 ounces, it would seem like a rock to the provider who carries it around all day. Powered by rechargeable NI-MH cells, the device fits many medical applications quite well. There is also a conventional RS-232 and IrDA port, as well as speaker and sound. Type II CF cards are supported and with Bluetooth and other transceiver options.

Symbol wasn't alone in showing off new PDAs. HP (Hewlett-Packard; Palo Alto, California) was showing its latest I-Paq PDAs and the new Palm Solutions Group's (Milpitas, California) Titanium also was shown along with many new software applications for both types. While there are a few more applications for Palm than Pocket PC, the difference is disappearing as the Pocket PC sales are catching up with Palm sales. The Titanium, while a major advance for Palm users, still has a small memory compared to the Windows PDAs. This is causing many to choose the Windows PDA and hardware platform, perhaps because it offers more memory and processing power and is less likely to run short as more and more programs are loaded onto these devices in the future.

Wireless patient, staff and asset tracking

An interesting niche market for wireless is in asset and people location and management. There have been several vendors who have come and gone in this application niche. A couple of years ago Pinpoint Technologies was offering a radio frequency (RF) location technology that GE Medical Systems (Waukesha, Wisconsin) for a time embraced and romanced until Pinpoint ended in bankruptcy. It is now history and GE is aligned with a new partner, WhereNet (Santa Clara, California). WhereNet recently announced on its web site an agreement with Siemens Medical Systems, thus cornering two of the four global patient monitoring vendors. But there are other small, start-up vendors seeking to enter this interesting RF space as well. While they were not exhibiting formally at HIMSS, representatives from both Elite Care Technology (Milwaukie, Oregon) and Sentinel Wireless (Lawrence, Massachusetts) were wandering through the exhibits, presumably telling other vendors about the products they are developing.

The Elite Care Technology product uses a combination of RF and IR badges to track people and equipment. One of the badges, the Asset Tag, has an anti-tampering feature that transmits an alarm signal whenever its "tag" approaches an exit zone. Another type of badge is available for patients or staff. It includes a button that can activate a preprogrammed function when pushed. The preprogrammed function could range from an alert notification to a page request. Their product is presumably aimed at the skilled nursing facility or facility that handles Alzheimer's or cognitively-impaired patients.

Sentinel Wireless is developing a more elaborate but similar technology in cooperation with Massachusetts General Hospital (Boston, Massachusetts). This system is aimed at real-time asset management, something of great interest to healthcare providers who are always looking for equipment they know they have but can't seem to find. The Sentinel Wireless solution is a bit more flexible than Elite Care Technology's, as it is based on the latest industry-standard technologies such as .net and XML. The interface to the system is web-browser based, so almost any device can access the ODBC-compliant database and location resolver software from anywhere in the enterprise that offers local area network access.

The investment in the Sentinel solution has a payback of less than one year, depending on the application(s) it is used for. The badge itself has two buttons that can be programmed for a variety of meanings, and there is a small, disposable badge that is ideal for patients being monitored with wireless telemetry devices, who the staff need to locate in the event of an emergency situation. Neither of these companies were formal exhibitors at HIMSS, however. If we hadn't caught them wandering the exhibit halls, we wouldn't have known they were there.

Finally, Clarinet Systems (Fremont, California) was at HIMSS promoting a different idea for wireless, infrared wireless. Its system provides an IR link from provider-carried PDAs or tablet PCs to an IR access point, similar to an RF access point, which is then integrated into an Ethernet network using its EthIR LAN products. These products support all popular PDAs and tablet PCs, including Palm, Pocket PC 2002 and Windows XP OS devices. Because the IR link is line of sight and local, it is inherently more secure than using any RF link, which can radiate far beyond whatever room the transmitter is in. The other advantage is that power drain is lower and data rates are high in theory at least.

Connectivity progress

HIMSS is always a good place to check out system connectivity advances. The Integrating the Healthcare Enterprise (IHE) initiative, a joint project of HIMSS and the Radiological Society of North America (RSNA; Oak Brook, Illinois) always has a demonstration at both HIMSS and RSNA, and the demo at HIMSS this year included some educational presentations about how IHE implements standards such as HL7, DICOM and others to enhance data exchange among various healthcare IT systems. The most interesting thing was the support for new, public health (biological warfare) type messages from providers to the Centers for Disease Control and Prevention (CDC; Atlanta, Georgia) or other public health agencies, perhaps the important first steps in establishing an automated, nationwide healthcare messaging network. Such a network could become very critical to the early recognition and identification of biological or chemical attacks and help to contain exposure and reduce deaths. These new message types have been added to the HL7 standard, who had partnered with the CDC and FDA to incorporate and demonstrate some new message types using HL7 messages.

Other recent developments such as implementation of the Arden Syntax, CCOW Clinical Context Standard and Version 3 messaging were demonstrated. These new HL7 features should begin appearing in updated versions of hospital and clinical information systems that support HL7 standards during 2003. The new public health message enhancements were particularly impressive and will hopefully be adopted by cooperating vendors as soon as possible given the political realities in the U.S. war on terrorism and war in Iraq.

Both increased security and the ease of use of single-point sign-on were emphasized at HIMSS. While these are somewhat contradictory objectives, CCOW is one of the HL7 tools that helps to harmonize them. Assuming that the one CCOW logon can be made secure, perhaps with biometric ID and password, then the ability of CCOW to login and synchronize all other records available (in CCOW-enabled applications) goes a long way to providing secure, single-point sign-in. That, in turn, goes a long way to getting staff enthusiasm about using electronic systems and not having to remember scores of passwords or waste time constantly signing into various departmental systems. Interest is growing therefore in CCOW-enabling systems.

Security software and systems

Other vendors also were showing secure login products, and some didn't have to come too far. Protocom Development Systems (San Diego, California) showed up with its SecureLogin products.

Others such as Citadel Security Software (Dallas, Texas) offered software to access and/or fix security vulnerabilities. Citadel does work not only for hospitals, but for large vendors such as IBM Global Services, the U.S. Navy and Air Force and the Federal Reserve Bank in Chicago. But their services come at a steep price tag.

Virus and hacker attacks are increasing, so tools like antivirus software, firewalls and intruder detection software are becoming essential to keeping medical networks, repositories and the patient information they contain secure. Because enterprise healthcare systems require continuous, broadband Internet access and the Internet is a worldwide network, hospitals are vulnerable to attacks from worldwide sources. Studies by Symantec (Cupertino, California) show that 80% of all attacks come from 10 countries. The U.S. leads the world a source to be attacked, accounting for over 35% of all attacks detected. The most common malicious code (virus) attacks seen were the Klex, Bugbear and Opaserv viruses, accounting for 80% of all attacks.

Sector leader Symantec attended HIMSS, but rival McAfee, a virus and security company that is a unit of Network Associates (Santa Clara, California) and which has recently introduced a medical version of its products, was conspicuous by its absence. We have found that the Norton security products from Symantec require less system overhead and run at lower priorities than do the McAfee virus and security products when they are active. The McAfee application is designed so that even those with administrative privileges are unable to take control and reduce program processing priority. This makes the process more secure when it is running, but makes reclaiming CPU processor priority nearly impossible at critical times.

As more hackers attempt to gain unauthorized access to more systems, new "holes" and system vulnerabilities are discovered. In 2002 documented vulnerabilities of systems increased by 81.5%, according to Symantec's Internet Security Threat Report. The Symantec data was based on data from 400 companies who have deployed more than 1,000 intrusion detection systems in their facilities that are located in 30 countries. Typical attack rates that hospital networks must protect against are 30 attacks per company per week, which is an increase of 20% of levels seen in 2001, according to Symantec. Of companies attacked, 21% report severe attacks, but the good news is that severe attacks have fallen from the 43% that were seen just two years ago, which indicates that companies are doing a better job of protecting themselves from such events. This is impressive given the data reported by Symantec that threats documented in 2002 were 84.7% more severe than in 2001, so we are doing better even though the level of threat has been dramatically increasing. Risks are more serious for systems that use open source code such as Linux or FreeBSD or other forms of Unix because a number of open-source programs were Trojanized during the past 12 months.

Like other vendors, Symantec was showing basic applications like workstation and enterprise virus checkers and firewalls, along with more sophisticated tools like its ManHunt and ManTrap products. ManHunt is one of several software products that monitor the Enterprise to detect intrusion and hacker attempts to penetrate the internal network or to attack it with denial-of-service attacks. Combined with its VelociRaptor "perimeter" security, Symantec is offering a range of tools to protect the network from outside attack. However many attacks come from within the network. To help protect against these, Symantec also offers products like ManTrap, a "honey pot" decoy that attracts and captures internal attackers to what looks like interesting or sensitive data, but is in fact decoy information established on the network to attract internal hackers.

Virus software overhead is something that vendors support personnel can easily overlook in working with unhappy customers. Windows provides a mechanism (through Task Manager) of adjusting program run priority (either above or below the default "normal" level that most application programs run at however users without administrative privileges or enterprise-wide security policies, may not be able to access these, and even if they can and find that McAfee antivirus is running at above normal priorities, they will be unsuccessful in throttling back priority to normal levels, even if they possess administrative privileges on the machine running McAfee.

In addition to the security software, there was a lot of security hardware being shown at HIMSS. CipherOptics (Raleigh, North Carolina) was showing a secure gateway for medical networks. The combination of features on this product was impressive. The gateway provided full-gigabyte ethernet wire speed with 3DES IPSec encryption. The IPSec policies require SSL-secured management sessions which also support SSH protocol version 2 remote login and configuration. The product is flexible enough to support site-to-site virtual private networks and IP-based storage networks. There are two factors that will limit the adoption and market penetration of this company. First, Cisco owns much of the network infrastructure hardware space and second, this hardware system is expensive compared to what Cisco offers. It is much more secure, but at a considerably higher price. It seems likely that Cisco and others will elaborate their products at lower cost and then compete on a price and enterprise-wide standardization basis with companies like CipherOptics.

A more cost-effective approach to e-mail security would be the use of PKWare's (Brown Deer, Wisconsin) PK-Zip products on all servers and clients. These are available now on computers running MVS, OS-400, various flavors of Unix and all Windows PC platforms, providing cross-platform encryption and decryption compatibility among most computing platforms found in most healthcare enterprises. A message is encrypted and then sent across an unsecure channel to the recipient, who uses PKZip to unencrypt and display it. The password for encryption is sent by a secondary means, say fax or voice, so that anyone who has intercepted it in the meantime is unable to decode it because they lack the password used for the encryption and transmission. This is a whole lot less expensive than creating and maintaining secure servers and, if properly applied, just as secure. It also is not as subject to hacking by outsiders. Strong encryption was added to the PKzip Professional 6.0 version of the product.

PDA security

Managing security in environments with a lot of mobile, PDA-type devices can be a challenge, but Credant Technologies (Addision, Texas) was there to offer the answer with its Mobile Guardian Gatekeeper products for all business flavors of Windows. This works with a Mobile Guardian Shield product that installs on Palm, Sony, Handspring, HP, Compaq, Casio and other PDAs providing one central point of management and control for policy-based assertions to any PDA that enters the healthcare environment and is granted access to the network. PDAs without Guardian Shield can be denied network access.

For mobile healthcare workers that need hard copy of the data on their PDAs and don't mind carrying around a small printer that weighs less than a pound, Infinite Peripherals (Arlington Heights, Illinois) was showing its PP-50MS thermal printer that attaches directly to (and under) a PDA. PDAs currently supported include most Palm models. The PP-50MS also adds a magnetic card reader, allowing healthcare ID cards to be swiped through it. If you want to then send or authenticate the card data remotely, there is an optional 802.11b or Bluetooth transceiver option. This is very similar to the "holsters" offered by Symbol Technologies for the Compaq (now HP) I-Paq series of PDAs.

While on the subject of unique PDA extensions, Margi Systems (Fremont, California) was showing its Presenter-to-Go wireless links from Palm, Sony, Handspring and Pocket PC-based PDAs that allow it to take data on the PDA and convert it into presentation-quality images using conventional projection display systems normally driven by a laptop computer and Powerpoint. It even supports on-screen annotation while one is giving a presentation. All of these enhancements are wonderful, but they draw down batteries very quickly, so road warriors using such devices will need to have extra batteries and a recharger on hand.

PDA medical applications

This year's HIMSS gathering extended the scope of medical applications that had been ported to PDA devices. Some of these PDA applications are huge time-savers. The most impressive company we encountered on the exhibit floor was Skyscrape (Hudson, Massachusetts). This 30-employee newcomer (founded in 2000) offered an impressive number of PDA references, ranging from popular titles by Dorland's, Taber and Stedman (dictionaries); two drug interaction analyzers; eight drug reference resources and 35 additional significant clinical publications, which support evidence-based clinical practice in medical specialties ranging from anesthesiology to toxicology and most everything in between. This was just one of many companies offering similar PDA-based references. For users that want to load several of these applications on their PDAs, the size of memory doesn't matter because the latest PDAs have memory expansion slots that can accept up to 512M memory cards. Skyscrape applications are written to load/run from this memory placing no practical limit on the number of applications that can be hosted on the PDA platform.

Skyscrape is the leader in this field, with more than 160,000 current users of one or more of its applications. The time savings comes from being able to index and link data from all the applications. This allows a user, say a physician needing to make clinical decisions about a patient without dragging out a bunch of reference texts and searching through them all. Here's how it works. The MD starts with the five-minute Clinical Consultant application and tracks down the disease. Then with one click he "smart links" to the Thomson Physicians Desk Reference (PDR), which returns all drugs specific to that diagnosed condition. He doesn't have to search the PDR, since it is pre-indexed based on the clinical condition displayed in the Clinical Consultant when the smart link is activated. He then picks a drug and asks the patient what other medications he is taking. As a quick check for interactions between what he is about to prescribe and other patient medications, he smart-links to the I-fax guide of drug interactions. Three seconds later the interactions for that specific drug and all other drugs are displayed, no searching involved. The entire process can take about 20 to 30 seconds on the PDA, but 10 to 20 minutes if the individual books have to be located and manually searched, assuming they all can be found and no other doctor is using them.

Smart-link is the patented feature that makes this Skyscrape system work so efficiently. The entire suite of three applications costs less than $170, and the breakeven on this investment given the practice time saved by the typical physician is less than a week, depending upon the types of patients seen. Coupled with a catalog of products that spans many separate publishers, this system is the most flexible and efficient PDA application we saw at HIMSS. Given the fact that at least 50% of physicians own or will own a PDA by next year, the market for these solutions is enormous. It includes 700,000 physicians, 50,000 physician assistants, about 3 million nurses plus medical students, clinical assistants and others. Skyscrape has automated all of the local applications that a physician could need. In combination with other applications that would obtain patient formulary, allow a prescription to be transmitted to the pharmacy and pull down lab results wirelessly, you have all the ingredients for a PDA-based automation of most tasks performed by physicians in their offices.

Skyscrape was by no means the only supplier available. Lexi-Comp (Hudson, Ohio) was offering a whole library of its "On-hand" medical applications that also support both Palm OS- or Pocket PC-powered devices. The range of applications was more limited but in some cases more in-depth. Lexi-Comp offers Lexi-Drugs for Pediatrics, Dentistry and Nursing, as well as Poison and Toxicology references, Infectious Disease and Diagnostic references and other products. Prices are around $75 for a single title but drop substantially when multiple titles are ordered.