The age-old problem of communicating radiological reports and images is increasingly being resolved with electronic technology. What appears to be occurring, according to the respondents contacted for this article, is that Web-based implementations are being used as the mainstay vehicle for presentation of this information. Web technologies such as browsers and programming languages such as JAVA, Active-X, and VB-Script are allowing easily deployable and maintainable graphical user interfaces (GUI) to access medical information.
In fact, security is such a concern that some very cutting-edge health facilities are not using the Web or are using it sparingly. The Health Insurance Portability and Accountability Act (HIPAA) regulations have not been finalized, but they are on the immediately visible horizon (see story on page 38). These regulations will place major requirements for patient data security on physicians and medical institutions.
For purposes of this article, the terms Web and Internet will be used interchangeably because respondents treated them that way. But, technically, there is a difference. The Internet has been called the “mother of all networks” by writers for America Online (AOL), a major provider of Web access.
According to those same writers, the Internet is a “system of interconnected computer networks…connected via a web of fiber-optic cables that encircle the world like a chrysalis encircles a moth.” The World Wide Web by distinction is that part of the Internet where user Web sites are denoted and lodged.
According to the AOL experts, the Internet has become so big with so many users and addresses that the answer to exactly what is the Internet “is as elusive as Elvis.” Is a facility’s internal communications network that can be accessed over the Web part of the Internet? Probably not, or maybe so; it is easy for apples to turn into oranges on this communications landscape.
The Internet is attractive as a data transmission vehicle because it goes everywhere, is extremely flexible and relatively fast, and requires little in the way of specialized hardware and software to achieve a connection.
Web technologies, on the other hand, have achieved unbridled endorsement and are in the active deployment process at all institutions surveyed. These technologies consist primarily of browser-based software and centralized Web servers and can easily be deployed and maintained. Browsers offer the physician a relatively uniform method of accessing patient information and often allow multiple vendors to cooperate in presenting their data in a more uniform format.
At Austin Radiological Association (ARA) in the Texas capital, a Web-based system is being installed that will link ARA’s 14 clinics, three hospitals for which it is the exclusive image provider, and eight additional hospitals where it holds service contracts. Moreover, the system will link with local referring physicians and, if needed, can send images anywhere.
“A fundamental of how we went about developing the business was that the RIS (radiological information system) is Web based, the PACS (picture archiving and communications system) is Web based, and everything has an underlying tenet of using Internet protocols and a Web architecture to make it easier for us to service,” says Greg Karnaze, MD, ARA’s president. “It’s easier for people to use, and it makes components easier to buy. You can buy anybody’s components to do this.”
Moving data quickly was also a big motivation for ARA, notes neuroradiologist Neal Rutledge, MD, chairman of the company’s information technology committee. “We really believed that speed was one of the core things that we had to achieve,” he says, “and the only way to do that in a distributive way now and in the future is our intranet. There are alternative ways to move data-it’s just extremely expensive.”
At Susquehanna Health Systems (SHS) in Williamsport, Pa, a vendor-supplied Web-based system has been in place for less than a year but has made a backlog of medical data available electronically that includes imaging studies. The result is broader, faster access that has the capacity to improve patient care, according to SHS Chief Information Officer Pamela Wirth.
“It’s a Web portal,” says Wirth. “It’s a Web page. To log on, you have a desktop icon or a favorite that takes you to that Web page. We present the patient as a single entity. It presents document information from the RIS/PACS. It presents all that to the physician.” SHS pays a monthly fee for the system, which uses a main computer (server) at the vendor site to interconnect computers at three acute care hospitals that SHS operates in rural north-central Pennsylvania. The system also admits designated referring physicians and handles communications for two other small rural hospitals where SHS provides data management.
A big time savings with the system, which is an access point for a layered series of data files from the RIS and PACS, is that a single sign-on procedure clears the way to the various applications, says Wirth. “Before, it was difficult to have single sign-ons for multiple applications. That’s a big time savings.”
Wirth also says the system is extremely flexible. Information can be added at the request of clinical or financial staff. “We’re sending more and more data-it’s sort of up to your imagination, believe it or not,” says Wirth.
While Web technology appears to receive universal praise, institutions continue to struggle with implementations based on the Internet itself. At the University of Texas in Houston, the MD Anderson Cancer Center employs a virtual private network (VPN) to access its on-site data over the same vendor-supplied Web-based software that serves off-site clinicians. The VPN is a system of dedicated phone lines that link approximately 5,000 users on the Anderson campus, according to Director of Diagnostic Imaging Informatics Chuck Suitor.
The VPN is not just phone lines; it includes encryption software at each site that monitors access to data. The data that flow across the Anderson campus use the Web-based ports like those that feed into the Internet for outside access. Suitor says, however, that the data going across campus do not actually go on the Internet. “If you look at local images, you won’t cross the Web at all.”
At the Cleveland Clinic Foundation (CCF), where more than 1 million multispecialty images are read annually from facilities throughout Ohio and from two clinical locations in Florida, the deployment of Internet technology is proceeding cautiously. CCF relies on a variety of VPN links to transmit electronic imaging data, according to Network Director for Radiology Robert A. Cecil, PhD. He says Web-based? technology is being deployed rapidly over primarily VPN-based networks. Enterprisewide, more than 20,000 network nodes must be considered. The cost of security for this VPN-based network is manageable, but those for an Internet-based deployment become much more problematic. The costs for security setup, verification, tracking, and other HIPAA regulations enabling a single physician to access a patient record over the Internet can become significant for an organization with the reach of CCF.
?The VPN is CCF’s mainstay. “The VPN connects the RIS and PACS,” Cecil says. “On the PACS there are 300 computers that display and manipulate images for radiologists. All of them are used for diagnostic review.” About 65 are Unix-based, and the remainder are a variety of Windows systems.
Improved patient care is routinely cited as one reason for installing Web-based communications systems. Like others, MD Anderson’s Suitor says the ability of ED doctors to access electronic images, prescription information, and other data quickly from the emergency department can save lives. But the ED is not the only place the data helps. Suitor says that not long ago surgeons were unable to find hard-copy film, “so they looked at the images on the computer and did the review and were able to proceed with the surgery.”
Suitor also says the reverse has happened. Because a radiologist using Web images was able to make a convincing argument to surgeons that a tumor was inoperable, the surgery scheduled for that patient was called off just prior to going into the operating room, Suitor says.
Battening Down The Hatches
The cost of a logistically complex deployment is the primary reason that the Cleveland Clinic Foundation has decided to move slowly with widespread use of the Internet. “How do you know who’s reading the report?” Cecil asks. “I guess you can look him up in the dictionary of physicians and see if his name is in there. You can call his secretary for verification, and then hope that he’s the only one who gets in and looks at those images. But the only way to verify that he’s the one looking at them is to go to his site and set up his computer. And that deployment, monitoring, and support process can get expensive fast,” Cecil adds.
Secure implementations for Internet transmission of patient data do exist and they are being used. At ARA in Austin, the internal intranet-based system being installed will use passwords and other controls to limit access. “HIPAA requires that you authorize, authenticate, and audit access,” says Karnaze. “We’ll have those three pieces in place, but we don’t want to give the details away.” ARA’s Director of Information Services Todd Thomas says the connections will probably be governed by a Secure Socket Layer (SSL), a connection he likens to a VPN. ARA appears to be well-positioned to provide Internet access when the need arises.
Another site that may be well positioned for the transition to use of the Internet for transmission of patient medical records is Susquehanna Health Systems, where Wirth says security is provided by an SSL system, used in conjunction with a special key fob given to each physician accessing data. Wirth says the key fob or token is a small, pocketable digital display device with a six-digit access code that changes every 60 seconds. The code is changed in case the token is lost, misplaced, or stolen. To gain access to SHS data, the user must type in the access code appearing on the token. “We’ve had a few tokens break,” Wirth says. Other than that, the security system has worked very well, she adds.
One consistent feature of any security system discussed by those interviewed is that the names of all those accessing a given file are recorded. Therefore, a patient demanding to see the access list would know which doctors had been looking at the patient’s records.
Of course, intangibles like who may be in the room with a physician accessing data or how freely radiologists can call up studies on patients not their own for comparative purposes may have to be legally determined if disputes arise.
The best a facility may be able to do is to put the security controls in place and wait to see what sorts of problems develop. At Houston’s Anderson Cancer Center, a VPN is used to control access to the Web-based medical record system, and software enables the provider to audit use. “Physicians can see anybody in the system, but anytime you look at something, it will be recorded that you looked at it,” says Suitor. “We’re not going to be the judges of what is appropriate access. We’ll generate the access list and hand it off to the medical ethics people, and they can make the determination.”
Suitor does note one gray area. Vendors of CT and MRI equipment in use at Anderson are given Web access to their machines so they can make software repairs electronically. This eliminates many long waits while vendors make a car journey to the clinic to work on software.
“We’ve granted a certain amount of trust to that service organization,” says Suitor. Trust with electronic Internet-based transmissions appears to be a trade-off that facilities are willing to make in order to take advantage of the Net’s considerable advantages-speed, ubiquity, and economy.
George Wiley is a contributing writer for Decisions in Axis Imaging News.