Hardware and Mobile Device Selection and Security
Use this tool to assist in determining the most appropriate hardware and mobile devices for your local public health (LPH) department to use in its electronic health record (EHR), health information exchange (HIE), and other health information technology (HIT) applications.
Time needed: 8 hours
Suggested other tools: 1.4 EHR Technology Readiness Inventory, 1.5 HIE Technology Readiness Inventory
|
Introduction
The physical hardware environment that is required to support your HIT investment is varied and diverse. It includes servers, switches, PCs, tablets, smart phones, bar code readers and many more hardware compents to numerous to mention. The technical environment is ever changing and rapidly evolving. Security of each hardware component needs to be addressed as you implement the hardware. Hardware of some sort will be required to access the information in your HIT applications. Familarity with the terms and some of the hardware that is required will prove essential as you proceed with your HIT project.
How to Use
-
Identify the types of hardware your EHR and/or HIE require you to acquire. Your selection of a straight license client/server product or an (application service provider) ASP/ (software as a service) SaaS model will determine whether or not you need to acquire servers and associated network devices. If you are acquiring servers you should obtain information from the vendor on minimum essential—as well as optimal—hardware configurations. It is important not to skimp on hardware or network connectivity, as it makes a big difference in the ability to use the system and user satisfaction.
-
Compare input device (input device is any device that provides input to a computer) capabilities to evaluate what is best for providing your services. Differences are significant and directly impact use. It is also important to think ahead. If you have a migration path where you will be buying more basic components first, you do not want to limit the hardware to only what will work for basic functionality; otherwise you may soon be faced with replacement costs.
3. Attempt to limit variation in input devices acquired or approved for use. Although one size does not necessarily fit all for input devices, a minimum amount of variation is recommended. Too many different devices, or even the same type of device from different manufacturers, can be costly to maintain. Parts are not interchangeable, documentation of system installation and maintenance differ, and upgrades come at varying times. This is especially true for small facilities with minimum IT staff. Despite that there is a trend toward permitting users to “bring your own device” (BYOD), the burden on a small organization and the risk that the device does not have the proper security are too great.
4. Test input devices. There are significant differences in input devices and how well they can be used in different types of environments. (See table below.) While a thorough test cannot be performed without the actual application in place, a small number of different devices can be provided to different users early in the process of HIT planning. They can use these devices to test routine email, Internet access, and computer skills building, secure email if it is set up early, and even review vendor demonstrations. This not only helps evaluate the devices, but builds computer and helps end users evaluate how they will use the devices at the point of care.
While administrative staff will probably use desktops or stationary notebook/laptop devices, public health nurses may have more options—especially as they provide services away from the office. There are several considerations to help determine whether notebooks, tablets, or smart phones are most desirable.
Types of Devices: Stationary vs. Mobile
Stationary Devices
|
Mobile Devices
|
Desktops
-
Require space for monitor, keyboard, and system unit (if a thin client* is not used)
-
Associated devices, such as navigational devices, speech recognition, power, security
Notebooks/Laptops
-
Enable portability when necessary by staff or to swap for use in the field
-
Requires extra precautions for encrypting the data retained on the device.
-
More expensive than desktops
|
-
Notebooks/laptops
-
Tablets
-
smart phones
For notebooks/laptops, issues of:
For tablets, issues of:
-
Weight
-
Battery life (better than notebook/laptop)
-
Processing power
For smart phones, issues of
-
Size of screen
-
Battery life
-
Processing power
For all:
-
Require wireless network, or downloading patient data for the day (if sufficient storage)
-
Require consideration for where to put the devices when not in use at the client’s home and when traveling. (See Security Considerations below.)
Expense is variable
Not all EHRs are designed to work optimally on a smart phone
|
*A thin client refers to a computer with minimal or no local processing capability. As data is entered, they are sent to the server, processed, and returned to the user. Many EHRs used by LPH departments will likely run on thin clients. Some users who also use HIT with more sophisticated processing functionality may require a “thick client” (i.e., one with a system unit housing local processing capability).
Some clinicians prefer to handwrite or dictate. Speech recognition, except when used to issue voice commands to a structured data template (discrete reportable transcription [DRT]), does not generate discrete (or structured) data values. As a result, the computer cannot process the information into graphs or trend lines, or perform clinical decision support with the information dictated. Some public health nurses may already use speech recognition systems to enter narrative notes into a word processing system. You should be aware of issues associated with speech systems and plan carefully if they become a consideration in your EHR selection:
-
Speech is digitized and matched against coded dictionaries to recognize words.
-
Newer speech recognition systems accommodate continuous speech
-
Newer systems are speaker-independent, requiring almost no training (although in some cases systems improve accuracy with use)
-
Speech recognition accuracy is improving; however, commonly used terms rather than medical terms are where errors often occur. For example, next week may be spoken as “nexweek” which the system cannot understand.
-
Correction must be performed, either:
-
Speech recognition at the point of care may be a significant change for clinicians who are not accustomed to telling their clients what they are entering into their health records. However, if used to keep the client engaged while performing data entry, this feature can be very helpful. Speech recognition is not your sole means to enter data. For sensitive data, the speech component can be turned off temporarily and a template or keyboard can be used.
-
Speech recognition is most successful in areas of health care that have a high degree of standardization/repetition and a small amount of content to be dictated.
-
DRT utilizes speech recognition with natural language processing. The user dictates following a template on the screen. The narrative dictation is captured as a note while, simultaneously, the structured data fields on the template are populated. (The template must be followed without jumping around or the system will not know where to put the data.) These systems are very new, more expensive and must be used with EHRs that are compatible.
-
Handwriting recognition (on a tablet) is a very similar process to speech recognition, although may require more system training. Tablets have the ability to select data from menus using a stylus or finger.
Bar Code/Radio Frequency Identification (RFID)
The U.S. Food and Drug Administration requires manufacturers to apply bar code labels for all human drug and biological products. Bar codes on packages of drugs have been used primarily for pharmaceutical inventory, but the bar code on a pill bottle could also be used to scan the bottle to determine what drug it contains. More recently, bar codes are being used in medication administration when patient wrist bands,
nurse badges, and unit dose medications with bar codes are available. Bar codes are also being used to manage lab specimens.
Radio frequency identification (RFID) is similar to bar code technology but does not require direct line-of-sight to read the codes. In health care, RFID tags are being used to track movement of clients—especially those with memory loss—and employees, expensive equipment, and narcotics
Document Scanning Systems
As the desire to become paperless becomes more ubiquitous, consideration may be given to acquiring a document imaging system, which then requires a scanner to scan documents. Small, portable scanners are available for occasional scanning. More heavy duty scanners can be leased, especially for temporary archiving of old paper records. More sophisticated electronic document management systems (EDMS) add indexing functionality as well as the ability to transfer electronic documents,
pictures, voice files, etc. directly into a document repository. (For example, an electronic fax or email would not need to be printed and scanned into a document imaging system. Instead, it can be sent directly as an electronic file to the document management system.)
Kiosk
A kiosk is a computer with special software to support limited data entry via mouse, card reader, and/or touch selection. Some kiosks are built into furniture and may also include limited printing capability. (An example of such a kiosk is at an airport ticket counter where you may touch the screen to enter your itinerary and a boarding pass can be generated.) Kiosk characteristics can also be included in notebook computers and tablets.
Kiosks are becoming popular in waiting rooms to identify arrival of a patient or family member, and to allow patients to enter their demographic data and history of present illness. Kiosks are also being used in health care for patient authorization or consent, where the client reviews a document, such as an authorization or consent form online and affixes a digitized signature (much like in the retail setting). For informed consent for a surgical procedure, kiosks can provide an interactive experience that may be more comprehensive than many exchanges between provider and patient.
For persons with behavioral health issues, evidence suggests that—especially for young people—interacting with the computer is easier than speaking to therapists or nurses. Accessing a kiosk-type presentation of an assessment online can aid engagement of confrontational teens. For persons in remote communities, a kiosk can include an online chat session or even a Skype-type of call. Apps for mobile devices can be viewed as a special type of kiosk as well, and can incorporate physiological sensing. Kiosk functionality or apps are the basis for games that have been found useful in behavioral health, geriatrics, and for those for whom English is not the primary language. It must also be noted, however, that mental health issues can be linked to too much computer and smart phone usage, because of the connections with isolation, gambling, dysfunctional online relationships, etc.
Security Considerations
Loss or theft of mobile devices is one of the biggest concerns in health care. A significant percentage of breaches reported to the federal government involve mobile devices with protected health information (PHI) that has not been encrypted. Applying a password is not adequate. To reduce the likelihood that your LPH department could have a breach of privacy as a result of a lost or stolen mobile device, follow the Guidance to Render Unsecured Protected
Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html. This Web site also directs the reader to the National Institute of Standards and technology (NIST) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices. It is essential that any device that contains PHI and is moved or can be moved be encrypted
The EHR vendor should be able to apply this technology for you so that the process is seamless to the end user. Be aware that while thin clients do not store information on them, if there are passwords stored on the device, it essentially is no more secure than if all the information was stored directly on the device. Passwords should not be stored on any device.
Encryption must also be applied to PHI as it is transmitted. The Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals referred to above also points the reader to NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations 800-77 (for transmissions over the Web), Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs (for transmissions through a virtual private network [VPN]), and “others which are Federal Information Processing Standards (FIPS) 140-2 validated.”
Any organization providing HIE should have specific requirements for securing transmissions. For more information, see Section 4.9 Using Direct for HIE and Section 4.10 Using CONNECT for HIE.
Copyright © 2014 Stratis Health. Updated 03-14-14