Enabling Software Technologiesfor

Mobile Healthcare Solutions

September 15, 2012

Russ HertzbergVice President,

Technology Solutions

Agenda

▪ Security Services and Technologies

▪ Mobile Device Management

▪ Rich User Interface on Small Form Factor Mobile Devices

▪ Web Services; HL7; Performance Considerations

▪ Mini Case Study

▪ Conclusions; Q and A

Security Services and Technologies

▪ The Compliance Domain:– Protected Health

Information (PHI)– What PHI Exactly to

Protect

▪ How to Protect It

▪ Tools, Techniques, Tips

PHI is:

▪ Names▪ All geographical identifiers smaller than a state▪ Dates (other than year) directly related to an individual▪ Phone numbers▪ Fax numbers▪ Email addresses▪ Social Security numbers▪ Medical record numbers▪ Health insurance beneficiary numbers▪ Account numbers▪ Certificate/license numbers▪ Vehicle identifiers and serial numbers, including license plate numbers;▪ Device identifiers and serial numbers;▪ Web Uniform Resource Locators (URLs)▪ Internet Protocol (IP) address numbers▪ Biometric identifiers, including finger, retinal and voice prints▪ Full face photographic images and any comparable images▪ Any other unique identifying number, characteristic, or code except the unique code

assigned by the investigator to code the data

What PHI to Protect…Abstract or Complex Cases

▪ “Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data”

– External application identifiers

– Legacy application identifiers

– Medical Device generated identifiers

– Others?

▪ Better Safe than Sorry

Known/Measured Breaches in Summary…2005-2011

http://www.healthcarefinancenews.com/news/top-10-data-security-breaches-2012)

How to Protect: Encryption

▪ http://en.wikipedia.org/wiki/Encryption

▪ In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). The reverse process, i.e., to make the encrypted information readable again, is referred to as decryption (i.e., to make it unencrypted)

▪ HIPAA doesn't strictly require that PHI be encrypted "at rest" (aka on disk/storage) but unless you have a very good reason, it is highly recommended you do so.

How to Protect: Encryption

▪ HIPAA and Encryption:– Notification for PHI Breach

Without Encryption– No Notification With

Encryption Used for Storage (at Rest) and Transmission (over Networks)

▪ Common Key Types (Algorithms):– RSA– AES– DES– 3DES– Others

▪ Key Types: Public/Private; Secret

What to Protect (Physician Practice)

▪ Practice Management System

▪ Electronic Medical Records

▪ Claims Documents

▪ Scanned Images

▪ Email

Encryption on Strategic Mobile Device Platforms

▪ Data At Rest iOS/Apple = Yes (Hardware)

▪ Data At Rest Android/Google = No (3rd party solutions or components)

▪ Data In Motion = Integration Services Often Required

▪ Developing Multi-Platform and Targeting In Motion?

– Re-useable Tools and Components Can Save a Lot of Time and Meet The Complex Requirements

Mobile Authentication

▪ Strong Passwords on Mobile Devices…Pain!

▪ Biometric….Promise (2D in next iOS Release??... 9/12/2012, AuthenTec Deal)

▪ Complexity…Larger Scale Identity Management Solutions such as OAuth 2.0

Mobile Audit Considerations

▪ KPMG HIPAA Audits in 2012 on Behalf of HHS OCR (150 proposed to 115 as of summer 2012)

▪ The Mass General, Cignet, and UCLA Examples (Fines)

▪ Expected Focus:– Inadequate security of wireless networks– Lack of adequate updates to software

and operating systems– Access log recordkeeping– Insufficient incident detection and

response procedures– Inadequate user access controls and

password management controls– Risk of theft or loss of mobile devices– Information access management,

including role-based access

▪ Mobile Security Implementation or Remediation…Sooner or Later

Mobile Device Management

▪ BYOD Will Not Go Away, But Markets Are Trending Towards Greater Organizational Funding

▪ A Combination Business and Personal Use Device…Common Practice

▪ How to Meet MDM Requirements:– Data Storage and

Segregation– Lost Device– Remote cleaning– Access control

Mobile Device Management

▪ Bifurcated Solution Marketplace:– Do it themselves ISVs– 3rd Party Solution

Platforms

▪ Define Specific Use Cases

▪ Build a Matrix of Mobile Apps, MDM Use Cases, and Potential Solutions

Local Data Cleanse

BlockAccess

TrackDevice

DisableDevice

Practice Mgmt

EMR

Claims

Doc Images

Password Management

Simple Pswd Value Maximum Password Age

Alphanumeric Value Required Maximum # Failed Attempts

Enforce Min Length Enforce Min # Complex Characters

Rich User Interface on Small Form Factor Mobile Devices

▪ Complex Patient Data and Small Screens

▪ Slower Wireless Networks

▪ Native Apps▪ Mobile Web▪ Hybrid Native and

Mobile Web

Rich User Interface on Small Form Factor Mobile Devices

▪ Persona Elaboration

▪ Simplified Use Cases

▪ HTML 5; Native App UI Objects

▪ 3rd Party Tools and Components

Rich User Interface on Small Form Factor Mobile Devices

Creative Solutions for Rich Healthcare Data:

– Sparkline's

– Push Notification for Patient Monitoring

Thinking About Web Services, HL 7, and Performance

▪ HL7…An XML Based Standard for Exchanging Information Between Medical Applications

▪ The Good:– Standard Data Exchange

over TCP/IP– EDI Like Formatting

Allowed for Development of Successful Parsers

– HL7 Standards for Many Healthcare Data Types

– Great Resources for Healthcare IT

The Case for JSON, Especially on Mobile

▪ Speed Over Networks

▪ Data Model Change Flexibility

▪ RESTful

▪ Does not Require One Truth Reference Data Modeling

HL7 and JSON: A Future of Détente??

▪ Clinical Document Architecture with HL7

▪ Rich Data Models within Healthcare Organizations

▪ Data Exchange moving Towards JSON

▪ Data Exchange Between Organizations Based on Common Data Model Elements

▪ Translation Middleware

Mini Case Study

▪ A SOLUTION FOR HOME HEALTHCARE AND HOSPICE AGENCIES

▪ TECHNOLOGIES: WINDOWS PHONE 7, VS2010 / EXPRESSION BLEND 4, WCF, SILVERLIGHT, MVVM, NINJECT, NINJA DATABASE PRO, SSL, AUTOMAPPER, STRUCTUREMAP, NUNIT, NHIBERNATE, RHINO.MOCKS, LOG4NET

Carefully Designed UI/UX for Windows Phone 7

Architecture - Communication

DB

SecurityDB

SecurityFramework

Homecare Services

Mobile Services

Web

Phone

Web service

WCF

WCF

Architecture - Phone

Local cache

Views Common UI (ViewModels)

Domain

Web

Faca

de

Cache Manager

Providers

Mapping, GPS, and Office Productivity

▪ BING Maps and GPS for Routing From Patient to Patient

– Track and Audit Patient Visits– Track and Control Mileage Expenses– Optimize Travel Routing– Submit Daily Reports Instantly. Roll Up

Patient Data Instantly and Daily. Eliminate Clinician Reporting Work and Errors

Contacts and Questions?

US Headquarters

12800 University Drive, Suite 250Fort Myers, FL 33907, USA

Main Tel: 239-690-3111 Main Fax: 239-690-3116

E-mail: rhert@softserveinc.com

Thank You!

Europe Headquarters

52 V. Velykoho Str.

Lviv 79053, Ukraine

Tel: +380-32-240-9090Fax: +380-32-240-9080

E-mail: info@softserveinc.com