Chapter 15: Dependable System for Quality Care Introduction The health care industry is undergoing a dramatic transformation

n from todays inefficiently, costly, manually intensive model of care to delivery to a more efficient, consumer-centric, science based model that proactively focuses on health management. This transformation is driven by several factors, most prominently the sky rocketing cost of healthcare delivery, the exposure of patient safety problems, and an aging baby boom population that recognizes the potential for information technology to reduce the cost and improve the quality of care. The International Council of Nurses (ICN), Code of Ethics for Nurses affirms that the nurse holds in confidence personal information and ensures that use of technology is compatible with the safety, dignity, and rights of people. Fulfilling these ethical obligations is the individual responsibility of the nurse, who presumably has the ability and authority to ensure that personal information is protected and that technology is safe.

Thus, ethical obligations drive requirements for system reliability, availability, confidentiality, data integrity, responsiveness and safety attributes collectively referred to as dependability. Dependability is a measure of the extent to which a system can justifiably be relied on to deliver the services expected from it. Comprises the following 6 attributes: i) System reliability. The system consistently behaves in the same way. ii) Service availability. Required services are present and usable when they are needed. iii) Confidentiality. Sensitive information is disclosed only to those authorized to see it. iv) Data integrity. Data are not corrupted or destroyed. v) Responsiveness. The system responds to user input within an expected and acceptable time period. vi) Safety. The system does not cause harm. *Because dependability tends to be a property of the system as a whole, it cannot be retrofitted, but must be designed and built into the system from the outset and conscientiously preserved as the system evolves.

When Things Go Wrong The dramatic cover story for febuary 2003 of Cio, - "one of the most health care IT criseshistory" - a catastropic failure in network infrastracturethat supported Care group. - The source of problem was traced to network, whena researcher uploaded a multigigabyte file into the PICTURE ARCHIVING AND COMMUNICATION SYSTEM (PACS) - The failureresultedin a 4hourclosure of emergency room - complete shoutdown of network and 2days paper based clinical operations - Network services werwnot fully recovered until 6days Covenant health , based in Knoxville, Tn, report that the SQL slammer worm attackinvaded its six-hospital network - through a single port connection . - 12hours recovery from the attack. March 2003, Kaiser Premanente. - Learned how the lackof depandability can affect its business - When power outage caused to misprint labels on prescribed medications. - Kaise was forced to contact 4,700peoiple to verify their orders. -1month after, a new labortatory computer system at Los Angeles, Medical Center overloaded. August 2003, Blaster and Sobig attacks invaded Hospitals around the world In Glasgow scotland 10,000 computeres used by City hospitals and emergency services were infected, and systems at one hospital down for 15hours 1/3 computer of Baylor College of medicine

- about 2,100 machines infected by Blaster and Sobig worm attacks. - The cost attacks exceeded $100K and 2.5 days of productivity DEPENDABILITY the trustworthiness of a computing system which allows reliance to be justifiably placed on the service it delivers. (IFIP 10.4 Working Group on Dependable Computing and Fault Tolerance) the collective term used to describe the availability performance and its influencing factors : reliability performance, maintainability performance and maintenance support performance. (Technical Committee 56 Dependability of the International Electrotechnical Commission (IEC))

ELEMENTS OF DEPENDABILITY 1. ATTRIBUTES - Attributes are qualities of a system. These can be assessed to determine its overall dependability using Qualitative or Quantitative measures. a. Availability - readiness for correct service b. Reliability - continuity of correct service

c. Safety - absence of catastrophic consequences on the user(s) and the environment d. Integrity - absence of improper system alteration e. Maintainability - ability for a process to undergo modifications and repairs f. Confidentiality sensitive information is disclosed only to authorized persons. 2. THREATS - Threats are things that can affect a system and cause a drop in Dependability. a. Fault- is a defect in a system. b. Error - is a discrepancy between the intended behaviour of a system and its actual behaviour inside the system boundary. c. Failure - is an instance in time when a system displays behaviour that is contrary to its specification.

4. Hire Meticulous Managers 5. Dont be Adventurous

GUIDELINE #1: Architect for Dependability A fundamental principle of system architecture is that an enterprise system architecture should be developed from the bottom up so that no critical component is dependent on a component less trustworthy than itself.

GUIDELINE #2: Anticipate Failures In anticipation of failures at the infrastructure level, features that are transparent to software applications should be implemented to detect faults, to fail over to redundant components when faults are detected, and to cover from failures before they become catastrophic.

3.

MEANS a. Prevention b. Removal c. Forecasting d. Tolerance

GUIDELINE# 3: Anticipate Success The system planning process should anticipate business successand the consequential need for larger networks, more systems, new applications, and additional integration.

GUIDELINES FOR DEPENDABLE SYSTEM 1. Architect for Dependability 2. Anticipate Failures 3. Anticipate Success

GUIDELINE# 4: Hire Meticulous Managers Managing and keeping complex networks and

integrated systems available and responsive requires meticulous overseers individuals who know that failures will occur and accept that failures are most likely to occur when they are least expected. GUIDELINE# 5: Dont be Adventurous One should use only proven methods, tools, technologies, and products that have been in production, under conditions, and at a scale similar to the intended environment.

HIPAA (Health Insurance Portability and Accountability Act) security regulation prescribes administrative, physical and technical safeguards for protecting the confidentiality and integrity of health information and the availability of critical system services. The following eight required administrative safeguards represent important operational practices that will clearly contribute to system dependability: 1. Security management, including security analysis and risk management 2. Assigned security responsibility 3. Information access management, including the isolation of clearing house from other clinical functions 4. Security awareness and training 5. Security incident procedures , including response and reporting 6. Contingency planning, including data backup planning, disaster recovery planning, from emergency mode operations 7. Evaluation 8. Bussiness associate contracts that lock in the obligations of business partners in protecting health information to which that they may have access Five physical safeguards also contribute to system dependability by requiring that facilities, workstations, devices, and media be protected:

Assessing Healthcare Industry Healthcare clearly has a need for dependable systems, both now and after the transformation, as the industry becomes increasingly dependent on IT in the delivery of patient care. This assessment is not intended to represent all healthcare provider organizations. Healthcare Architectures For adherence to the first guideline architect for dependability the clinical care provider community gets a barely passing grade of D. Healthcare organizations build or perhaps compose their systems from the top down rather than from the bottom up. EAI or interface engines are used to transfer data most commonly from a clinical system to a building system.

1. Access control, including unique user identification and an emergency access procedure 2. Audit controls 3. Data integrity protection 4. Person or entity authentication 5. Transmission security Security plays a critical role in achieving system dependability. In health care environment access must be more liberally authorized than in many other security environments because access to information is a prerequisite to care. Anticipating failures For adherence to second guideline expect failures the clinical provider gets another grade of D. Medical technology and prescription drugs, as well as clinical treatment protocols, are required to go extensive validation before they can be used in clinical practice. Computers are increasingly being used in safety clinical applications, and without careful and appropriate attention to software safety, we can reasonably expect that failures will contribute to the loss of human life.

software applications, computer systems, and networks to work. In fact, providers assume their systems work as well as many other medical equipment despite the fact that many of the software applications they use are running on the same kind of PCs that have failed at home. However, healthcare organizations do not forsee that their business success may increase their need for processing power and networking capability. IT Management For the fourth guideline hire meticulous managers the clinical provider has been assigned a mediocre grade of C. Many provider organizations truly do recognize the criticality of IT to their business success. IT Managers role: Recognize the need for dependable systems that can anticipate and recover from failures Recognize the strong relationship between system dependability and the quality and safety of patient care implement fault-tolerant systems with strong security protection, middleware to manage workload , and tools to continuously monitor the health performance of their applications, systems and networks. Healthcare organizations who view IT as a support function and costly

Anticipating success With respect to the third guideline expect success the clinical care provider community has earned a mediocre grade of C. Health care organizations definitely expect their

business expense, frequently select IT managers who may understand the healthcare business but may not understand the fragile nature of IT or the importance of Guideline 1 architecting for dependability. Adventurous Technologies in Healthcare The fifth and final guideline dont be adventurous is the most difficult to assess for health care was given a grade of C. Healthcare clinicians, including nurses, historically and typically are very resistant to change , largely because they are taught to be circumspect in considering new approaches, treatment protocols and drug regimens. Before adopting any new idea, they investigate it, the talk about it and among their colleagues, then watch someone else try it and perhaps, they may try it themselves. Wireless Networking and Handheld computers serve as a good example of technologies that are not yet mature for safety clinical applications. Further, handheld platforms typically may have many of the same security vulnerabilities as the early PCs: Weak authentication No separation of execution domains No(or weak) encryption support

Vulnerability to malicious code attacks directed at either the device itself or the enterprise network with which it synchronizes.

Summary and Conclusions The health care industry is undergoing a dramatic transformation from todays inefficiently, costly, manually intensive model of care to delivery to a more efficient, consumercentric, science based model that proactively focuses on health management. IT is a key enabler for this transformation. As provider organizations become increasingly dependent on IT the delivery of care, new risks emerge, and system dependability becomes essential for business success, quality care, and patient safety.

This chapter has described 5 guidelines for achieving dependable systems. Architect for dependability Anticipate failures Anticipate success Hire meticulous managers Dont be adventurous

An informal assessment of the healthcare provider community suggests that the healthcare industry has exhibited little recognition of the importance of enterprise architecture and the strong interrelationship among information security, system dependability, and patient safety. However, this is not surprising for those whos just beginning to use IT for core business functions, such as clinical care. The future looks much brighter than the current state. The mandate for the healthcare industry to conduct business more efficiently and to deliver a safer and a higher quality of care is being championed by industry consortia, scientific community, and the federal government. As business operations and priorities change the role and status of IT within provider organizations will increase. The healthcare provider of tomorrow undoubtedly will consider IT, a core business asset and system dependability a business imperative.