Volume I, 2009

Technology Virtualization in HealthcareTransformation and Secure Innovation

EVOLVENT: SeCuRe TeCHNoloGY INNoVATIoNCONTaCTs:

Bill oldham, Chairman and Ceo (Virginia)Paul Ramsaroop, President and Coo (San Antonio)

Doug Stock, executive Vice President (Virginia)

Northern Virginia5111 leesburg Pike, Suite 506Falls Church, VA 22041Phone: 703.824.6000Fax: 703.379.2148

Northern Virginia100 Carpenter Drive, Suite 206Dulles, VA 20164Phone: 703.824.6000Fax: 703.481.7925

san antonio4400 Piedras Drive South, Suite 175San Antonio, TX 78228Phone: 210.268.1400Fax: 210.735.3404

email: info@evolvent.com Web: http://www.evolvent.com

CapabiLiTiEs: evolvent is a healthcare systems company with services ranging from program assessments to global implementa-tions. evolvent provides services and solutions that address four broad areas of client needs: Behavioral Health Program Design, Automation, Planning and Program management Services; Patient Information Services (electronic Records / Imaging / Global Telehealth Support); Cybersecurity (Information Assurance, HIPAA, Privacy); and Informa-tion Systems Integration, Design, Implementation, and Protection. For a full capabilities brief or more details regarding our services and how to contact us, please email info@evolvent.com, call one of our offices or visit our website at www.evolvent.com.

NaiCs COdEs: 518210 Data Processing, Hosting, and Related Services

541512 Computer Systems Design Services

541513 Computer Facilities management Services

541519 other Computer Related Services

541611 Administrative management and General management Consulting Services

541614 Process, Physical Distribution, and logistics Consulting Services

541618 other management Consulting Services

541690 Other Scientific and Technical Consulting Services

541990 All Other Professional, Scientific, and Technical Services

561320 Temporary Help Services

611420 Computer Training

611430 Professional and management Development Training

611710 educational Support Services

CCR/DYNAmIC SmAll BuSINeSS SeARCH (PRo-NeT ReGISTeReDoRCA ReGISTeReDACCePT GoVeRNmeNT PuRCHASe CARD

FEdEraL CONTraCT VEhiCLEsD/SIDDomS III (D3) Small Business PrimeGSA IT Schedule 70: GS-35F-0364mSeaport-eVA GITSSVA VISTA BPAARmY mRmS IDIQDeSP-2AF NeTCeNTSARmY ITeS-2sAF mASS

rEprEsENTaTiVE FEdEraL pErFOrmaNCE hisTOrymilitary health systems (mhs) defense health information sys-tems (dhims) Develop application support for Neurological Cognitive Assessment Tool (NCAT)

military health systems (mhs) defense health information sys-tems (dhims) Develop application support for Healthcare Artifacts and Image management System (HAImS)

TriCarE management activity (Tma) defense Center of Excellence Analyze, prototype, develop and evaluate virtual worlds including Second life and their utility for military personnel with PH and TBI concerns

Army Office of the Surgeon General Provide Telehealth Services

military health systems (mhs) (hp&E) Provide a Data Repository

Us army medical information Technology Center (UsamiTC) IASo/Project IASo – Security Testing and evaluation

air Force medical service Systems Analysis Design and maintenance; IT Support Services

Air Force Surgeon General’s Office, Air Force Medical Support Agency Knowledge exchange, enterprise Architecture and Portfolio management Consulting Support, expert Rapid Requirements Analysis Support, and AFSo21 Program Consulting Support

Naval medical information management Center (NmimC)Telemedicine Systems engineering, Analysis and Technical Support

Commander, Navy Installations Command Website Consolidation engineering & Technical Consulting Program

Kirtland Clinic, Kirtland AFB Help Desk and lAN Support

Science Applications International Corporation Information Tech-nology (IT) Consulting Support (Clinical & Non-Clinical)

Wright Patterson Medical Center, Wright Patterson AFB Systems Analysis Design and maintenance

Department of Veterans Affairs Records management and FoIA Support Consulting & Services

Veterans health administration Information Assurance Service Sup-port, Records management, and Application Development

rEprEsENTaTiVE COmmErCiaL pErFOrmaNCE hisTOry

Bell Helicopter Textron, Inc. Information Assurance Service Support

University of Pittsburgh Medical Center Telemedicine Systems

engineering, Analysis, and Technical Support

danya international Security & management Consulting Services

Omnicell Information Assurance Service Support

WorldVision Document management and Collaboration Technology Implementation Services

MRS, Inc. Information Assurance Service Support

Maximus Information Assurance Service Support

handysoft Information Assurance Service Support

In This Issue:

EVOLVENT MAGAZINEVolume I, 2009

EDITOR-IN-CHIEFPaul Ramsaroop

EDITORSJennifer Cupka John Daniels

Stella Ramsaroop

CONTRIBUTING WRITERSBill Oldham Anna WorrellJohn Daniels

Monty NantonBarry P. Chaiken, MD

Karen GonzalezGuy Sherburne

Harris IT Services, featuring Dr. Bart Harmon

ART DIRECTORBridget M. Skelly

PUBLISHEREvolvent Press

•Statements contained herein may

constitute forward-looking statements that involve risks and uncertainties.

Due to such uncertainties and risks, readers are cautioned not to place

undue reliance on such statements.

Copyright © Evolvent,2009 All rights reserved.

Virtual Healthcare Artifact and image managementAnna Worrell, Vice President, evolvent John Daniels, Vice President, evolvent

behavioral healthmonty Nanton, Sr. Vice President, evolvent

Clinical Transformation Leveraging Health IT to Deliver Safe, Efficient CareBarry P. Chaiken, mD

Duplicate Patient Records Bringing A Focused Approach To The MHS ForefrontKaren Gonzalez, Director, med. ops., evolvent

Using social Networking to Engage the Healthcare ConsumerBarry P. Chaiken, mD

an information protection strategy Beyond Perimeter Defensesmonty Nanton, Sr. Vice President, evolventGuy Sherburne, Sr. Vice President, evolvent

Security Challenges and ThreatsGuy Sherburne, Sr. Vice President, evolvent

New Nationwide healthcare information Network to Enhance Patient Care and Reduce CostsHarris IT Services, featuring Dr. Bart Harmon

Thought Synch: Proof of Need for Virtual Data Framework VisionJohn Daniels, Vice President, evolvent

Page 5

Page 7

Page 11

Page 15

Page 19

Page 23

Page 25

Page 29

Page 33

Volume I, 2009 | 2

5

7

11

15

19

23

25

29

33

Welcome to the new Evolvent Magazine for 2009!

There are so many posi-tive new beginnings in global healthcare that is hard to know where to start! At Evolvent, we are honored to be trusted by a number of public and pri-vate sector customers to put our collective heads together and build smartly for the new

networks and capabilities central to the success of the changing face of healthcare.

In this magazine, we highlight the transformative efforts we are working on as well as identifying trends to watch as healthcare markets change and evolve around the world. Here are highlights for a few of these articles: • Clinical Transformation

Leveraging Health IT to Deliver Safe, Efficient Care Guest article from Evolvent Advisory Board Chair & CMIO, Dr. Barry Chaiken

• Using Social Networking to Engage the Healthcare Consumer Guest article from Evolvent Advisory Board Chair & CMIO, Dr. Barry Chaiken

• An Information Protection Strategy Beyond Perimeter Defenses Focused reengineering approach for information security including a more ROI driven model leverag-ing new technologies and domains to advance a more sustainable enterprise security model

• New Nationwide Healthcare Information Network to Enhance patient Care and Reduce Costs Guest editorial from Dr. Bart Harmon, Harris Corporation highlighting the work of the NHIN program

• Security Challenges and Threats A reconnect with Evolvent security leaders on the continued threats and challenges of managing security

• Thought Synch: Proof of Need for a Virtual Data Framework Vision Evolvent’s CIO and HIMSS Board Vice Chair for 2011, John Daniels highlights the need for data virtualization for large medical enterprises to leverage data in the changing world of healthcare

Our thought leaders have also highlighted progress in enterprise medical imaging, the use of technology in behavioral health, and the tools and approaches needed for data quality initiatives related to duplicate records.

As we look at putting the needs of patients and func-tional users first – delivering data quickly and securely for the enhancement of healthcare delivery, we face an incredible number of opportunities for forward prog-ress. In the federal sector, both the Department of Defense and the Department of Veterans Affairs are fac-ing monumental challenges from the long conflicts and the changing nature of the diseases and health concerns that dominate the new mission. Through changing architectures and engaging industry leaders our cli-ents and our teams are leveraging lessons learned and best practices in many thoughtful and hopefully cost- effective ways.

Our teams are honored to be in the front lines of global telehealth support for the US Army and in be-havioral healthcare across the DoD and the VA through our work with Defense Center of Excellence for Psy-chological Health and Traumatic Brain Injury (DCoE). From sensors to social networking tools, we are pleased and honored to bring technology and thought leader-ship to some critically important work.

Through new technologies and methodologies for managing health IT programs, Evolvent experts and support staff are working to enhance care for our wounded warriors and their families. Many of the special needs of this work are akin to the transforma-tive learning of prior generations through the federal investment in our storied space programs of the 1960s and 1970s – driving innovation across the spectrum of healthcare delivery.

The use of technologies and business process reengi-neering to change practices can be harnessed in much the same way that space science transformed our tech-nology base from the 1970s forward. With lower cost solutions and highly adaptive tools, the opportunity for healthcare organizations across the public and private sector to embrace the coming industry transformation is an enormous challenge with big potential rewards and pitfalls. We hope you find the articles and thinking in this magazine useful in meeting this challenge and as always welcome your feedback. We look forward to hearing from you.

BILL OLDHAMCHAIRmAN & Ceo

Bill.oldham@evolvent.com

Technology Virtualization in HealthcareTransformation and Secure Innovation

3 | Evolvent Magazine

One of the top challenges echoed throughout the healthcare industry and in the halls of the legislative branch of government is the need for true “interoperabil-ity” – the need for free healthcare information exchange and truly in-formed decision making at the point of care. The technology is available today, but solutions seem to be mysteriously elusive. We have seen some successful Electronic Medical Record (EMR) related information technology implementations, but even the most successful implemen-tations fall short in terms of making ALL of a patient’s information avail-able at the point of care. Why can’t artifacts and images be made avail-able? Because they typically rest scattered throughout the system in disparate repositories managed by disparate organizations, completely inaccessible by the point-of-care providers who are doing their best given a limited set of information. It is no wonder mistakes are made, it is no wonder people are hurt, and it is no wonder healthcare spend-ing is reaching twenty percent of the gross domestic product. Just as in times of national crises and need, the Military Health System (MHS) is answering the call of duty.

The MHS experiences the same challenges plagued by all other healthcare providers, except unlike most other providers, the MHS’ challenge is a global one. Soldiers, Sailors, Airmen and Marines span the globe and no matter where they are, they deserve, and the MHS

works exhaustively to provide the best healthcare has to offer. But in

order to do that, the MHS must be able to provide ALL of a

patient’s information

needed at the point of care. To give you an idea of how many points of care we are talking about, consider this: More than 137 thousand MHS staff supports over 9.1 million ben-eficiaries from 412 medical clinics, 414 dental clinics, and 65 military hospitals. Whether in Air Force or Army medical clinics and hospitals within the United States, aboard the USNS Mercy hospital ship sail-ing the seas, on the ground in the remote mountains of Afghanistan or on a beach under hostile fire, the MHS is determined to find a solu-tion. That is why they are looking to partner with innovative companies like Evolvent Technologies, Inc., who understand the MHS’ mission and that of the four Services to de-velop these much needed solutions.

The MHS was interested in a so-lution that would enhance the De-partment of Defense’s (DoD) Elec-tronic Health Record (EHR) by including aspects of the health re-cord from any media. This military EHR evolution is expected to help bridge the gap between DoD and

other Federal agencies (e.g., Veter-ans Affairs) to not only improve the quality of care, but also to “close the loop” in the continuum of care by making ALL of a patient’s necessary information available anytime re-gardless of where medical attention may be needed.

The military’s EHR is in place, but it is in different states of aware-ness with respect to artifacts and im-ages (A&I). Here is how it currently works. The automation effort in a military healthcare setting begins with patient appointment schedul-ing, registration, check-in and dis-charge, and accounting and billing. The next step is computerized phy-sician order entry (CPOE) with the implementation of modules for lab-oratory, radiology, pharmacy, and other ancillary orders. As a patient traverses the encounter workflow, there may be a multitude of other patient A&I generated through the continuum of care such as wave-forms (i.e., EKGs), x-rays, imag-ing studies, photographs, scanned documents, video and audio files.

Virtual Healthcare Artifact and Imaging Management

By ANNA WORRELL & JOHN DANIELS

5 | Evolvent Magazine

This is where a major split

in the patient “record” occurs; the

A&I generated as a result of the en-counter are typically not attached or associated with the EHR in any way. Instead, they are stored elec-tronically and on paper in various disparate systems, including the pa-tient’s paper medical records. This scenario describes why the MHS desires to enhance the EHR such that it becomes a complete elec-tronic health record by incorporat-ing A&I, free text documents, and structured data.

Currently, DoD patients may have paper medical records stored in different locations. An encounter record may be stored in one system, ancillary data in another system, and radiological images and imaging studies for various modalities (e.g., Computed Tomography, Magnetic Resonance Imaging, Cardiovas-cular Imaging, Nuclear Medicine, and Dental Imaging) are stored in Picture Archiving and Commu-nication Systems (PACS) and are not easily accessible by the point-of-care providers. The healthcare provider typically has to search in multiple systems and request medi-cal records from multiple locations, if there is time, to fuse the needed information for a complete picture of the patient. Furthermore, some data are not easily accessible to the DoD clinicians outside the clinical department where the A&I were acquired. You probably already have an idea of the end result, but in sum-mary one can only form a complete view of a patient’s current health status by expending a great deal of

resources manually searching, gath-ering and assimilating a patient’s information, which is all over the place, into a complete medical re-cord. This reiterates the MHS’ dire need to establish a single, virtual lo-cation for all patient-centric medi-cal information. Can this be done? In short, YES!

Patient data can be captured, re-formatted into an electronic version based on standards, and linked via metadata to the patient’s electronic health record. Capturing, storing and managing all of this A&I would bring the complete medical record together through the combination of the computable and non-com-putable data into a single system. As a first step towards this vision, the MHS awarded Evolvent a contract to develop a scalable, maintainable, efficient and effective technical solu-tion that allows essential healthcare A&I generated during the health-care delivery process to be accessible across the DoD. Furthermore, they also want to make the information available to Department of Veterans Affairs medical facilities and other Federal agencies by connecting it to the proposed National Health Information Network (NHIN). This objective supports an initiative started by former President George Bush and carried forward by Presi-dent Barack Obama, which is to create an electronic health record for every American by 2014.

This new contract, called the Healthcare Artifacts and Images Management Solution (HAIMS), tasks Evolvent to help design and develop an enterprise-wide imaging system that links all patient A&I to their electronic health records. It is

expected to offer healthcare provid-ers a single source for all patient-centric data. Radiological images stored in PACS will be linked and artifacts, to include scanned docu-ments, EKGs and other file formats, will be efficiently stored and man-aged. The need for specialties to share images will be met by provid-ing rapid access to image studies and workflow tools, and shared A&I will be accessible across the DoD and VA in real time. The design will use a sophisticated architecture designed to cost-effectively address complex issues such as a globally dispersed system, network latency, interrupted communications, large image/file sizes, redundancy, and storage. The metadata will be dis-played via a web application mod-ule where providers will search for available A&I, and via a pick list can pull and display A&I on their clini-cal workstation. This architecture will also enable the scanning and capture of any and all other types of image data, to include paper re-cords provided by out-of-network care, sharing of data with the VA and other future Federal agencies, and certainly the historical paper medical record as well.

HAIMS will link patient data that addresses the needs of both primary care clinicians and special-ists. Specialists will be able to review and interpret A&I and generate re-ports that will aid providers in their treatment plan. HAIMS will help give providers a complete medical record giving them the entire medi-cal picture from a single source en-abling them to provide safer care at the right time no matter where the point-of-care may take them. ◆

HAIMS will allow providers to treat patients in the clinic or bed side with access to relevant A&I to more effectively and safely treat illnesses and identify the most appropriate follow-on care.

Volume I, 2009 | 6

Behavioral Healthby monty nanton

The National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2006 and 2007 authorized the Secretary of Defense to develop an innovative, internet-based delivery of behavioral health tools to improve or augment military and civilian healthcare systems in providing early diagnosis and treatment of Post-Traumatic Stress Disorder (PTSD) and other mental health conditions.

As the practice of medicine has evolved, so has the introduction of multiple and sometimes recurring con-cussive forces on warriors on the non-linear battlefield. In order to address these behavioral health challenges resulting from PTSD, Traumatic Brain Injury (TBI), and Mild TBI (mTBI), the Military Health System (MHS) must leverage information technology to

raise casualty care to transformational levels. Evolvent has been an integral part of MHS’ effort to reach these levels. We recognize, however, that our support of transformational advancements in the quality and pro-ductivity of the MHS requires tools and techniques de-veloped from computer science and engineering in the social and behavioral sciences.

Evolvent Technologies, Inc. is currently working three key programs for the MHS component called Defense Health Information Management Systems (DHIMS) and the Army’s Medical Command with re-spect to behavioral health: the Neurocognitive Assess-ment Tool (NCAT), the Army Telehealth Program, and Virtual Worlds Second Life® are all described in the following paragraphs.

In order to address behavioral health challenges resulting from PTSD, TBI, and mTBI, the Military Health System must leverage information technology to raise casualty care to transformational levels.

7 | Evolvent magazine

NCaTThis program is designed to help DHIMS improve

the delivery of neuropsychological health assessment services to our active duty military personnel. Evolvent’s technical solution was carefully crafted to provide an NCAT capability that enables baseline and post-event screening to occur at both theater and sustaining base echelons of care. Our solution meticulously incorpo-

rates the features and capabilities of the Automated Neuropsychological Assessment Metrics (ANAM) to ensure a delivery consistent with the current infrastruc-ture, operating and integration environment and an implementation tightly aligned with current DHIMS processes and methodologies.

Several years ago, the DoD recognized the pressing need for a computer-based neuropsychological assess-ment capability and invested in the research and sub-sequent development of components of the ANAM. The components of ANAM were then licensed by the U.S. Army to the University of Oklahoma Cen-ter for Human Operator Performance for further de-velopment. Evolvent has been an integral part of past and recent efforts to develop and deliver this critical

capability. With the recent wars in Af-ghanistan and Iraq, the criticality of deploying this capability has taken on a new sense of urgen-cy and importance. Our team and our solution are therefore characterized by a personal and professional committment to delivering a proven, world-class neu-rocognitive assessment capability.

The goal of this effort is to develop the optimal IM/IT integrated stand-alone, connected, and web-based solution to deploy, manage and operate a neurocog-nitive assessment tool in Theater, within the United States, and overseas locations at military treatment fa-cilities and the farthest forward treatment echelon prac-tical and allowable. The completed system will operate on a hardware and software architecture maintained by the Medical Communications for Combat Casualty Care (MC4) component in Theater and will permit functional users to administer, store and retrieve assess-ment test result data to be used to support both diag-nostic and research activities. NCAT assessment results will be centrally stored and available to all authorized NCAT users throughout DoD.

Evolvent’s technical solution was carefully crafted to provide an NCAT capability that enables baseline and post-event screening to occur at both theater and sustaining base echelons of care.

Volume I, 2009 | 8

9 | Evolvent Magazine

The goals for this program are to analyze, prototype, develop and evaluate virtual worlds including SL and their applicability and util-ity for support of military person-nel with Psychological Health (PH) and TBI concerns. In this effort, Evolvent is providing initial consul-tative services about virtual world use for behavioral health as well as development and implementation of a Military Behavioral Health space via the SL software, tool set, and virtual environment. This in-cludes, but is not limited to, con-sulting with government person-nel on the possibilities within SL, the development of the structures, scripts, and avatars required, the maintenance of the virtual space to ensure routine regular functioning, the payment of land use fees, island

billing, and any use fees required for the execution of this task. We also provide a functional assessment of existing and emerging mainstream social networking websites. A Func-tional Assessment Report which as-sesses the most prolific socially net-worked web applications to include, but not be limited to, Facebook, MySpace, YouTube, and Wikipedia will be provided to the government. This assessment report will outline the capabilities, standard uses, most valuable components, and appli-cability to the Tele-TBI/Health capability mission.

Our technical approach to this task includes engaging in interactive consultative design in collaboration with the behavioral health experts assembled in the T2 directorate. We

Consultation and Development in Virtual Worlds

will apply our knowledge of what is possible to our understanding from the government what is desirable in designing and planning the SL area of this emerging collaborative me-dium in the creative adaptation of technology to the behavioral health disciplines. We understand that initially, the SL presence is designed to target primarily psycho-educa-tional and community building objectives, with a potential future expansion to medical consultation and treatment.

By directly engaging with SL, di-rect participation via Avatars, cus-tomized monitoring via SL scripts and integration, and by soliciting user feedback, we monitor the be-havior of the virtual space to identify problems and required maintenance. These lessons learned through peri-odic maintenance will help us iden-tify areas for improvement in scripts that reduce or eliminate disruptions in proper function.

In all, we will create according to the designs of the Consultation Report Plan one or more SL private islands, creating buildings and other objects as required by our planning.

Creation of Second Life® Avatar

TelehealthThe Tele-TBI/Health initiative will provide the

personnel, equipment and management support to as-sist in the standup and execution of an Army Medical Department (AMEDD) global Tele-TBI/Health ca-pability. This support will provide the necessary infra-structure, management oversight, clinical and technical consultation and healthcare services needed to build a global AMEDD Tele-TBI/health capability

The Office of The Surgeon General (OTSG) and the Medical Command (MEDCOM) Headquarters, also known as One-Staff, is undertaking efforts to establish an AMEDD global personnel and hardware infrastruc-ture required to conduct Tele-TBI/Health operations. The Tele-TBI/Health personnel will work in a military treatment facility and will support designated special-ties and related programs within and among the Army’s Regional Medical Commands (RMC).

The Telehealth initiative is implemented in three phases:

• Cell phone Telehealth The Tele-Traumatic Brain Injury (TBI) Cell Phone Initiative serves as the focal point for designated AMEDD’s Regional Medical Commands (RMC) and Community Based Warrior Transition Units (CBWTUs) for all Tele-TBI Cell Phone initia-tives to include the delivery and management of TBI care. This program serves as a support function of the RMC and is responsible for planning, developing, monitoring, implement-ing and collecting metric data as it pertains to

Tele-TBI Cell Phone Initiative matters. The Tele-TBI Cell Phone Ini-tiative which includes a Project Manager and several Nurse Case Managers will work closely with the RMC Tele-Health Manage-ment Cell, RMC leadership and personnel throughout the RMC, DVBIC, CBWTUs.

• rmC Telehealth The RMC Tele-TBI/Health initiative provides the personnel, equipment and management support to assist in the stand-up and execution of an AMEDD global Tele-TBI/Health capability. These personnel pro-vide the necessary infrastructure, management oversight, clinical and technical consultation and healthcare services to support the build-ing of a global AMEDD Tele-TBI/Health ca-pability. This personnel function consists of a Program Manager, a Nurse Case Manager, and a Telehealth Technician at each of the Army Regional Medical Commands.

• Clinical Coordinators The Clinical Co-ordinators portion of the Tele-TBI/Health initia-tive provides the personnel support at the medical activity level to assist in the consultative treatment and management of individual TBI candidates. These personnel exist in multiple sub-specialty disciplines associated with PH and TBI and pro-vide the clinical and technical consultation and healthcare services needed to support the global AMEDD Tele-TBI/Health capability. ◆

ARCHITeCTuRe oF GloBAl TeleHeAlTH CAPABIlITY THRouGH PHASeS 1 AND 2

Volume I, 2009 | 10

11 | Evolvent Magazine

An average of 195,000 people perished due to potentially prevent-able medical errors in the United States according to a study of 37 million patient health records over a two-year span.1 Incorrect dosages, drug allergies, drug toxicity and mis-diagnosis are a few of the causes, but what was - and continues to be - the root cause of this calamity? How many of those unfortunate deaths were attributed to the integrity of the patient data housed within the medical systems of our hospitals and clinics? The above statistics are derived from the civilian sector of healthcare, where the same provider

or group of providers treat patients consistently in the same geographi-cal area and the continuity of care is present for an extended period of time. When considering the unique challenges of providing healthcare within the Military Health System (MHS), one has to be more con-cerned about data quality relative to the MHS’ electronic medical record and the quality of care provided to MHS beneficiaries.

There are unique challenges in the MHS that may contribute to corrupt data in its electronic medi-cal record system. Identification of a patient at each military treatment

facility is typically acquired by the end user using the patient’s name and the social security number of the patient’s sponsor. This is impor-tant to note because eligibility for care is dependent upon a patient’s relationship with an eligible spon-sor. A patient could be their own sponsor if they happen to be the active duty or retired military mem-ber. If a patient is not active duty or retired, the patient must be as-sociated with someone who is thus their sponsor. Their sponsor’s so-cial security number becomes their verification of eligibility for care. Other challenges include patients

Duplicate Patient RecordsBringing a Focused Approach to the MHS Forefront

By KAREN GONzALEz

1 http://www.medicalnewstoday.com/articles/11856.php

being seen at multiple facilities and by multiple providers at each facil-ity throughout their lifetime, which can result in their information be-ing stored in multiple databases throughout the world.

To complicate the challenge fur-ther, a patient’s sponsor status may also change a few times over the course of their lifetime resulting in their information in databases be-ing updated to reflect each change. It is also possible for military benefi-ciaries to fall under more than one sponsor category as a patient. For example, a patient may be married to an active duty member, may be a reservist, and may also be a DoD contractor, each separate and dis-tinct patient sponsor categories, but the patient still remains one person. How does the MHS handle this complexity in an ever increasing digital world?

The Defense Manpower Data Center (DMDC) implemented a unique electronic identifier called the Electronic Data Interchange Person Number (EDI_PN) to iden-tify a person. It is used in the DoD’s primary personnel and benefits sys-tem called the Defense Enrollment Eligibility and Reporting System (DEERS). It is also used in two of the MHS’ primary medical infor-mation systems, the legacy system called the Composite Health Care System (CHCS) and the Armed Forces Health Longitudinal Tech-nology Application (AHLTA), DoD’s electronic medical record. The EDI_PN is not visible to MHS system users, and it is not currently part of the matching logic when registering a new patient into the legacy system. Instead, DEERS pro-vides yet another EDI_PN to iden-tify a person as a beneficiary when users complete new registrations in the system, which provides the op-

portunity for patient record dupli-cation and enrollment discrepancies as a person’s status is updated.

These unique MHS challenges, along with current registration practices, human error, system er-rors and multiple systems attempt-ing to work together, contribute to the thousands of duplicate patient records that reside in military health systems today. If in one system the duplicate records are not aggressive-ly sought after and properly merged, duplicate records in the other sys-tems occur at a rate much faster than they can be merged or even worse, unmerged. In an ideal medi-cal world, the goal should be ONE PERSON = ONE RECORD.

The MHS recognized this chal-lenge early on and has responded by funding programs that attempt to rectify this issue by proactively searching for patient records with discrepant data in the legacy sys-tem – CHCS. This proactive ap-proach has unveiled to a certain extent the depth of this duplicate patient record dilemma. They have uncovered thousands upon thou-sands of duplicate records revealing the seriousness of the problem; the challenge is now figuring out how

to match and merge the correct records and implementing corrective and preventive measures to halt the duplication. Identification of the problem is simply not enough; it requires deliberate effort towards a real resolution.

The goal of military healthcare, as it is in the civilian sector, is to transition to an accurate, updated and complete Electronic Health Record (EHR) for each individual receiving care. During this transi-tion, each system containing a piece of patient data should be updated and corrected to display accurate and up-to-date information. The military EHR still relies heavily on the legacy system—CHCS—and DEERS for key information such as patient registration, admissions, appointment scheduling, eligibility verification and provider registra-tion - to name a few. Therefore, at-tention and focus on the integrity of legacy system data should continue for as long as the EHR system relies upon it.

As thousands of duplicate patient records sit in the legacy system and possibly millions reside in the elec-tronic health record system, there is

Volume I, 2009 | 12

13 | Evolvent Magazine

no doubt this issue should be one of the top data quality priorities in military medicine. Tackling this challenge should be a joint Ser-vices endeavor requiring the best effort from those personnel (military, civilians and con-tractors) along the data quality continuum to implement a solution as soon as possible.

IDENTIFICATION • Ensure existing systems rely upon the DEERS EDI_

PN as the primary person identifier across all sys-tems to identify a person receiving care. A person’s sponsor status may continue to be updated as nec-essary, but making the EDI_PN visible to end us-ers along with system alerts embedded in the reg-istration process.

• Embed advanced matching logic to filter the system for possible potential duplicate records at the front end of the registration process when end users are entering the person into the exist-ing military medical systems. Using this logic will help identify when an EDI_PN may not be present or may already exist for a given person. Incorporate an Enterprise Master Person Index technology to assist in the confirmation of patient data and prevention of duplication.

CORRECTION • Update existing MHS technology with improved

automated patient record merge software for the legacy system and ensure key data quality person-nel are properly trained to monitor this process to ensure accuracy. Initially, it may be critical to es-tablish a duplicate patient record resolution team

whose primary task would be to oversee the record merge process not only in legacy system, but in the EHR system as well.

TRAINING • A process is only as good as the people who use it. All personnel who touch medical re-

cords must be properly educated on the importance of process discipline and its impact on the accuracy of information in the electronic medical record, and on the impact of corrupt data (e.g., duplicate records) on patient safety.

• Include in education programs why a ‘master person index’ concept is important and on the role information technology plays in this process.

PREvENTION • Prevention really is the best medicine. There are a number of other prevention and com-

munication clichés that could be used here, but suffice it to say that properly training, educating and informing everyone along the electronic medical record lifecycle will in fact prevent medical record duplication from occurring.

With the executive order from former President Bush, which called for the widespread implementation of interoperable Electronic Health Re-cords, as well as President Obama’s multi-billion dollar plan to back up this initiative, a top focus of the military’s present state of Health IT should be on cleaning up duplicate patient records, preventing duplicate records from occuring starting at the front end of the process, and paving the way to a fully functional and interoperable military Electronic Health Record. ◆

•

15 | Evolvent Magazine

Using Social Networking To Engage the Healthcare ConsumerBY BArrY P. CHAIkEN, MD

Volume I, 2009 | 16

E-mail is so 20th Century!

Now people connect through text messag-ing applications such as Twitter or on social networking sites such as Facebook. They continue to communicate and exchange in-formation asynchronously as before, but at a faster pace that is much closer to real time. Viral no longer refers to a small piece of ge-netic code that gives you the sniffles. It now describes the explosive distribution of infor-mation through an unregulated, “Wild West” technology platform commonly known as the Web 2.0 Internet.

A small snippet of information posted on a blog or YouTube can be shared with mil-lions of people within hours, using a distri-bution engine powered by the information consumers themselves. Many more Ameri-cans saw Tina Fey’s now classic imperson-ation of Governor Sarah Palin on YouTube than live on the television program Saturday Night Live. The link to the video was widely exchanged in blogs, Tweets, and postings on MySpace. Consumers saw the video clip on laptops, PDAs, and mobile phones.

Before the introduction of Web 2.0 social networking tools, consumers mostly ob-tained their information from controlled infor-mation outlets such as news organizations, corporate public relations departments, in-dustry associations, and consumer report-ing agencies (e.g., Consumer reports®). Today these organizations only supplement the much larger review information and commentaries posted by active participants in the online world.

reviews You Can useFor example, the website Trip Advisor® (www.tri-

padvisor.com) allows travelers to post reviews of hotels including personal digital photos of the accommo-dations. Travelers no longer need to rely upon glossy brochures or hotel web sites that show the facility in its best light. Consumers, using social networking web sites such as Trip Advisor, consider multiple reviews of the hotel posted by a broad range of travelers, some just like them.

Unbiased and willing to share their experiences, these travelers reduce the hotel’s influence and control over its own reputation and brand message. The hotel is subject to the unfiltered commentary provided by its guests. Although some hotels generate fake reviews to boost their image, the number of real reviews posted often overwhelms these fake reviews.

Threatened loss of control of its reputation and brand creates great worry among organization lead-ers. Healthcare entities, physicians, and other mem-bers of the healthcare community work hard to develop and maintain reputations to ensure ongo-ing revenue through continued referrals. Widely publicized catastrophic medical errors, or reports of poor quality, can lead to collapsed care programs as patients and payors switch to other institutions.

Small Events Can Yield Big ImpactBefore online social networking, only news of the

most serious events reached large numbers of consum-

ers. Less sensational events did not have the impact necessary to attract the attention of the mass media, the only effective distributor of information to large numbers of consumers previously available.

All of this has changed. Now consumers record even minor events and place them unfiltered in cyberspace for review by anyone at anytime. This “raw” informa-tion lacks any degree of checking of its accuracy, rel-evance, or completeness. Both factual and inaccurate stories are posted side by side communicating an un-scripted image of an institution, group practice, or in-dividual physician.

Consumers with similar experiences are also able to comment on postings, thereby adding credibility or contradiction to any story. Additionally, those men-tioned in the postings can add further details or infor-mation to “correct” or enhance the story. Each posted story offers a forum for give and take allowing all in-terested consumers to express their own facts or opin-ions. Consumers effortlessly share postings with others, therefore encouraging more people to contribute.

When such online collaboration attains a level of momentum where thousands and thousands of online users consume the content and then forward or con-tribute to it, the content is described as having gone vi-ral. Although a relatively rare occurrence for any single piece of content, information goes viral regularly in cy-berspace. Jokes, urban legends, and videos are examples of frequent “gone viral” content.

Organizations that fail to understand the influence

TyPES OF ONLINE PARTICIPANTSCharlene Li and Josh Bernoff, both analysts at Forrester Research, categorized online participants in their recently published book Groundswell. The six types of online participants include:

Creators Critics Collectors Joiners Spectators inactivesThe most active, sophis-ticated users of social networking applications, these online consumers at least once per month publish a blog or article online, maintain a web page, or upload videos or audio to sites like You-Tube. Based on a 2007 survey, in the u.S. Cre-ators represent 18% of the online adult popula-tion, in europe just 20%, and in South Korea 28%.

These online adults react to online content posted by others by posting comments on blogs or online forums, posting ratings or reviews, or editing wikis. There are many more Critics than Creators, encompassing 25% of uS online adults, 20% of europeans, and 36% of Japanese.

Acting to collect or aggre-gate information, these online participants save uRls and place tags on social-bookmarking ser-vices like del.ico.us, vote for sites on a service like Digg, or use RSS feeds on services like Google Reader. This effort works to help organize the tre-mendous amount of in-formation placed on the Web by Creators and Critics. About 10% of adult Americans and eu-ropeans are Collectors.

These are the adults who participate in or maintain profiles on social net-working sites such as mySpace, Facebook, or linkedIn. more than 25% of American adults are Joiners with levels above 40% for South Koreans. Joiners make up about 10% of online adults in europe.

Consumers of what oth-ers produce on the Web, little effort is required of Spectators to participate. These adults read blogs, forums, reviews, watch videos, and listen to podcasts. Since being a Spectator requires so little effort compared to the other types, it makes up the largest group of online participants. About 48% of Americans, 37% of eu-ropeans, and two-thirds of Japanese adults are described as Spectators.

These are the adults who participate in or maintain profiles on social net-working sites such as mySpace, Facebook, or linkedIn. more than 25% of American adults are Joiners with levels above 40% for South Koreans. Joiners make up about 10% of online adults in europe.

56% of American adults are active participants in online social interaction.

of online consumers in their strategic and operational planning will surely be blindsided by some unantici-pated event and will be completely unprepared on how to respond. In addition, such organizations are missing an opportunity to engage proactively these online con-sumers. Actively working with these savvy online users, while providing them with a social networking forum to express themselves, greatly assists in any effort to en-hance business models, improve service offerings, and publicize success.

Opportunities for Healthcare ProvidersRather than a threat, social networks offer healthcare

organizations a new tool to connect with healthcare consumers. As consumerism continues to take hold and consumer directed health plans become more common-place, organizations need to remain in constant com-munication with the patients they serve to keep those individuals loyal to their facility or practice. Social net-works allow for multifaceted, regular communication with healthcare consumers that assists in building and maintaining this necessary loyalty. As consumer control over the spending of their healthcare dollars increases, their behaviors will more closely mimic their behavior in purchasing other products and services. Therefore, effective management of an organization’s online pres-ence greatly influences financial success.

According to Li and Bernhoff, successful strategies for entering this online world rely upon using an organization’s online presence to achieve one of five objectives:

» Listening - To better understand customers and to conduct market research; valuable for use in market-ing and development. Example – A hospital is consider-ing opening an ambulatory clinic, open nights and week-ends, in response to the recent dedication of a clinic at the local Wal-Mart.

» Talking - To spread messages about your organiza-tion; valuable when expanding online marketing initia-tives to a more interactive level. Example – A cosmetic surgeon considers offering a new anti-wrinkle skin therapy just approved by the FDA that has some side effects, and she needs to understand how customers perceive the complication risk.

» Energizing - To identify enthusiastic consumers and spread their enthusiasm and good words to others; valuable if a brand has passionate followers. Example – A surgical urology group developed a new procedure for per-forming prostatectomies that delivers fewer side effects, and the group wants to publicize its successes so other pa-tients will seek out the group for treatment.

» Supporting - To assist consumers in helping each other; valuable for organizations with high support costs or where there is a natural affinity for people to support each other. Example – Believing that group interaction is critical to successful blood glucose control, a diabetes treatment center wants to link its patients so they can better assist each other in the self-care of their chronic disease.

» Embracing - To integrate consumers into a busi-ness including the design of products and services; the most challenging objective of those noted here and usually pursued after achieving success utilizing one of the previous four. Example – An academic medical center, recognizing the growth of consumerism in healthcare and the shift in reimbursement patterns wants to engage its community of patients in the planning for the future expansion of services and facilities.

For any organization, engaging consumers utilizing the online world of social networking presents a diffi-cult but manageable challenge. Experience in other in-dustries highlights the enormous benefits and competi-tive advantage a successful strategy can deliver.

For the healthcare industry, the upside should prove to be even greater. After all, no industry encompasses services and products that exceed the emotional energy of the patient-caregiver relationship. By constructively interacting with consumers in the online world through social networking, healthcare organizations are likely to find a motivated consumer who passionately works to enhance the quality and safety of care delivered to themselves, their family, and their community. ◆

Barry Chaiken is on the healthcare advisory board of Evolvent Technologies and Chief Medical Officer of his own firm DocsNetwork, Ltd. He writes a regular column and serves as a member of the Editorial Advisory Board for Patient Safety & Quality Healthcare. With more than 20 years of experience in medical research, epidemiology, clinical information technology, and patient safety, Chai-ken is board certified in general preventive medicine and public health and is a Fellow, Board Member, and Chair-Elect of HIMSS. He has worked on quality improve-ment studies, health IT clinical transformation projects, and clinical investigations for the National Institutes of Health, U.K. National Health Service, and Boston Uni-versity Medical School. Chaiken also serves as an adjunct assistant professor in the Department of Public Health and Family Medicine at Tufts University School of Medicine. He may be contacted at bchaiken@docsnetwork.com.

RefeRences: lI Charlene, Bernoff Josh. Groundswell. © 2008 Harvard Business Press, Boston, mA. www.tripadvisor.com; www.twitter.com

Volume I, 2009 | 18

19 | Evolvent Magazine

By GUy SHERBURNE

Security Challenges and Threats

Information technology has changed the way we work, the way we communicate with one another, the way we educate, the way we en-tertain, and the way we interact in just about every aspect of our lives. Although it has changed our lives subtly, it presents some powerful implications for the future. We know from a historical perspective with other technologies that a new technology often results in effects we did not anticipate, a.k.a. disrup-

tive technology. Automobiles sig-nificantly improved our mobility but changed the character of our cities. Advancements in medical technology have forced us to con-front life and death decisions of a kind never faced before. Computer technology, while improving nearly every aspect of our lives, has created significant security challenges to counter invisible threats – viruses, hackers, terrorists, and foreign mili-tary digital warriors who are trained

to disrupt or take control of target-ed computer technologies. Hostile external and internal threats ar-rayed against the United States are extensive and sobering, presenting our government and nation’s indus-try with increasingly serious chal-lenges to the security of technology systems and the information they process and store. These threats span all types of operational venues to include traditional espionage, terrorism, cyber terrorism, foreign

military cyber attacks, organized crime, technology transfers, inter-nal system users, and rapidly devel-oping technological changes. This makes all kinds of sensitive informa-tion vulnerable, such as classified government information, industry’s emerging scientific and technologi-cal breakthroughs, and financial, medical, and personal information.

Our rising reliance on informa-tion technology has increased the value of information systems and infrastructures as a target for exploi-tation. As noted in recent events, the private, public, and government sectors show that uninformed deci-sions have lead to information loss, a compromise of personnel data, le-gal consequences, an adverse impact to military operations, and the need for costly repairs.

CEOs and government leaders in the end, are responsible for protect-

...the third greatest threat to the security of the United States. The only two preceding it are nuclear war and weapons of mass destruction...

shawn henRy, assistant DiRectoR fBi cyBeR Division (http://www.tgDaily.com), 7 Jan 09

ing organizational assets – people, intellectual property, sensitive information, infrastructures, net-works, and computing resources. This has become more important and increasingly difficult with the rise in the number and sophistica-tion of cyber threats. It is important to understand the risks, whether created by threats and advancing technology1, in order to logically deal with them in a way that leads

to the desired security results – a secure infrastructure that protects information in any form at rest or in transit.

The security challenges and threats faced by the government, industry, and commercial sectors are nearly identical. Except for unique mili-tary hardware and space platforms, which all use computer technology, the government uses the same com-puter hardware and office automa-tion software used by industry and the commercial sectors. Connected together by vast networks, all gov-ernment, industrial, and commer-cial technology systems face the same security challenges and are vulnerable to the same threats.

Several countries have estab-lished Information Warfare (IW) operations whose mission is to de-fensively counter electronic warfare attacks from other countries and

offensively initiate a technology at-tack on any country’s military, in-dustrial and other sectors’ networks and systems. Malicious code and viruses cannot distinguish between a government, industry, or commer-cial system making all systems and networks vulnerable. For exam-ple, the action by the Department of Defense prohibiting external hardware (e.g., flash drives, thumb drives, CD/DVD, etc.) was in reac-

tion to the recent impact of a mali-cious code that had been around for the past few years, despite the virus protection file that had been issued over a year ago designed to protect against this code.

Examples of IW operations were illustrated in the wake of the Rus-sian-Georgian conflict where strong evidence indicates that Russia had coordinated a cyber attack against Georgia’s Internet infrastructure. Other examples include China be-ing blamed for launching hacker and malicious code ventures against government, industry, and com-mercial sectors, and Israel, Hamas, and Iran continue to launch IW at-tacks against each other. Although computer technology is providing us with wondrous improvements to our lives, the invisible threats from malicious codes and foreign mili-tary IW operations present unique

security challenges that cannot be resolved with or countered by perime-ter-based technological security solutions alone.

One threat that may seem small in comparison with IW activities and malicious code are the vulnera-bilities routinely found in software. IW operations and malicious code look for software vulnerabilities that can be used as a doorway to gain-ing control of a server or computer. Without software vulnerabilities, the impact of malicious code would be minimal to computers and net-works, and IW operations might be limited to denial-of-service attacks that flood the Internet and net-works with directed information overload. The threat from software is not just with the application de-sign where the programmer may have left a “back door” programmed in the software, the threat may also come from software patches, which are released frequently. Resource strained IT departments may resort to installing high priority updates for servers and computers first, and leave the less threatening patches for later. IW personnel and hack-ers who understand the impact of resource constraints will focus on exploiting this routine-related vul-nerability to probe for weak points that will allow them to install ma-licious code that allows the hacker to potentially take “undetected” control of several thousand comput-ers. After taking control of multiple severs and/or computers, hackers are then able to initiate a distrib-uted denial-of-service attack that historically has been able to shut down a network.

In January 2003, the “Sapphire” worm, also known as “SQL Slam-mer”, spread rapidly throughout the world in a very short time frame. Sapphire was designed to look for

Pentagon Hit by Unprecedented Cyber AttackAs a result of the cyber attack, the Defense

Department has banned the use of external hardware devices throughout a vast network

of military computers. Justin Fishel & JenniFer GriFFin fox news, 20 nov 08

21 | Evolvent Magazine

1 The advancement of technology brings with it an inherent risk that introduces multidimensional threats that ultimately increases risk.

a specific buffer vulnerability in Microsoft SQL servers. Microsoft was able to proactively identify the threat and release the necessary se-curity patch to fix the problem six months prior to Sapphire’s appear-ance. However, the world was slow to respond. The rapid spread of this malicious code clearly illustrated a lack of proactive patch manage-ment capability by many organiza-tions across all sectors. Prior to this incident, our security team imple-mented for a government client a defense-in-depth security process that included a proactive patch management process. As a result of the procedures we designed and implemented for our government client, Sapphire had no impact on their worldwide email and video network conference operations – no downtime for any system!

Although virus protection is de-signed to protect systems, typical vi-rus definition files are only designed to detect “known” viruses and do not afford protection against new and evolving malicious code. New virus definition files are normally re-leased only after a recognized nega-tive impact to computers and serv-ers, and usually one to several days after the virus/malicious code has hit the World Wide Web. This ob-viously presents a significant chal-lenge to securing networks.

One of the most neglected threats is the “insider.” Virus pro-tection software is only good if it is properly kept up to date. If not, computer users, through Internet access, may download infected pro-grams, music, or pictures, or they may connect to their personal web mail creating potential backdoors around its firewalls and intrusion protection systems and creating an unimpeded avenue for intruders and malicious code to gain unde-tected access to the organization’s

network resources. Additionally, firewalls and intrusion protection systems will only help to protect the network if someone – an in-sider – has properly configured the devices and is constantly managing the systems. In other words, does the insider stand up a firewall and never change the “out-of-the-box” configuration settings? Insiders will not normally act foolishly if they are properly educated on com-puter threats and the requirements to adhere to government, industry, or commercial entity policies. They must also be made aware of the re-percussions of non-compliance – to the network, the cost of repair, and even their career.

The challenges to securing systems and networks are tremendous. Our experience has shown that it can-not be resolved with a technologi-cal solution alone. It is easy to fall into this limited defense-in-depth approach that is solely designed to create a network infrastructure that is only resistant and resilient to external attacks. Although this approach does help, it has proven unsuccessful this past fall by failing to prevent a malicious code attack that impacted the Department of Defense. Our experience tells us that a true enterprise “Defense-in-Depth” process must include a ho-listic view -- people (insiders and

outsiders), facilities, policies, edu-cation, awareness, and technology. The process must also convey clear organizational understanding and in-depth knowledge of its vulner-abilities and threats and the associ-ated risks and impacts on its critical lines of business.

In the end, the desired goal is to protect systems from inside and outside threats and to secure infor-mation, whether that information is government classified, protect-ed health information, industrial proprietary data, or personal in-formation. Protection from con-stantly changing threats requires implementation of sound security practices that are flexible enough to handle these threats and technolog-ical changes. Evolvent’s core of sub-ject matter experts in IW, physical, personnel, information, and tech-nological security – whose experi-ence dates back to the late –1960s – implement these practices for our clients on a daily basis. Our knowl-edge has allowed us to put into ef-fect a holistic defense-in-depth security posture for commercial and government clients. Through a comprehensive “lessons learned” understanding on the changing threats and challenges to security, our security methodology has kept our clients’ information secure and flowing smoothly. ◆

Volume I, 2009 | 22

23 | Evolvent Magazine

IN MARCH OF 2009, the U.S. Department of Health and Human Services (HHS) released as open source software the Nation-wide Health Information Network (NHIN) CONNECT Gateway – a set of services that enables seam-

less and secure health information sharing among federal agencies and health care providers.

The release followed several suc-cessful live demonstrations last year that proved the gateway’s ability to easily exchange medical notes, lab results and other critical data be-tween the Department of Defense, the Department of Veterans Affairs, the Social Security Administration, the Indian Health Service, the Cen-ters for Disease Control, and the National Cancer Institute.

WHY DOES THIS MATTER? There are at least 90,000 reasons. That’s the estimated number of in-dividuals in the U.S. who die each year due to medical errors. In addi-tion to the tragic loss of life, some $300 billion of the over $2.1 trillion spent each year on healthcare in this country is consumed by wasteful,

duplicate activities and fraud.“Better information reduces mis-

takes, and in healthcare, mistakes hurt people – that’s why this matters,” says Bart Harmon, MD, MPH, and chief medical officer of the Healthcare Solutions business of Harris Corp.,

which was awarded the contract to provide NHIN CONNECT Gate-way core services in March 2008.

Those services consist of software that can be easily downloaded by providers to quickly enable connec-

tion to the NHIN, and a software development kit that enables pro-viders to quickly develop custom interfaces to the NHIN.

Dr. Harmon has long understood the critical role played by informa-tion in the healthcare process. He

is the former chief medical informa-tion officer and director of informa-tion management for the Military Health System of the Department of Defense (DoD).

“Once errors are made,” he adds,

New Nationwide healthcare information Network To enhance patient care and reduce costs.

BY HArrIS IT SErVICES, FEATurING Dr. BArT HArMON

PRESIDENT BARACK OBAMA

“WE CAN NO LONGER AFFORD TO PUT HEALTH CARE REFORM ON HOLD... OUR RECOVERY PLAN WILL INVEST iN ELECTrONiC hEaLTh rECOrds aNd NEW TEChNOL-OGY THAT WILL REDUCE ERRORS, BRING DOWN COSTS, ENSURE PRIVACY, AND SAVE LIVES.”

Volume I, 2009 | 24

“it then costs more to restore that person to good health. Improving information availability will help to improve quality, reduce costs and minimize needless suffering.”

Successful Demonstrations Lead to Public release

The DoD, which is faced with meeting the needs of wounded war-riors who are returning from active duty in wartime, is one of the gov-ernment agencies that have partici-pated in several live demonstrations of NHIN CONNECT during the past year.

The most recent of these took place in December 2008, hosted by Secretary of HHS Michael Leavitt and with members of the NHIN forum and others in attendance. This demonstration consisted of live information on fictitious people moving across the network to six different agencies.

Several ‘scenarios’ were featured during the demonstration. One was focused on an individual who had been treated for cancer as a child at the National Cancer In-stitute (NCI) and then was later seen within the DoD for seemingly unrelated problems. The decades-old NCI information was readily available, helping to provide an in-formation safety net for the patient.

In a ‘Social Security benefits’ scenario, health information needed to make a benefit deter-mination was electronically avail-able in seconds when previously it has taken many months to request and receive photocopies of medical records to support claims and benefits.

Another successful demonstra-tion took place last September during a meeting of the American Health Information Community (AHIC). Some 400 people gathered in the lobby of the Hubert Hum-phrey Building in Washington, DC to view the rapid and secure transfer of health information.

In a ‘wounded warrior’ scenario, NHIN connected the departments of Defense and Veterans Affairs with regional and national health infor-mation exchanges to demonstrate interoperable healthcare informa-tion sharing from the federal level to the community level and back. It also showed a ‘long-term disability’ scenario, during which the medical summaries were accessed easily by the Social Security Administration.

“While the demos have focused on the interoperable, secure shar-ing of healthcare summaries – di-agnoses, medications and allergies

– NHIN CONNECT could read-ily be extended to deliver virtually any kind of health record,” explains Dr. Harmon.

In addition, the NHIN CON-NECT Gateway empowers patients by enabling them to determine how and with whom their medical infor-mation is shared.

“This is all done in a way that pro-tects a person’s privacy, with high levels of security, and the services include features to enable patients to control who has access to their information,” explains Dr. Harmon. “If I want the clinic where I will be seen next week to have access to my information, I can approve access for all the staff there. I can also re-

strict access, so that, for example, a former spouse who works at that clinic cannot have access.”

First use under Way

The Social Security Adminis-tration was the first agency to go live with the NHIN CONNECT Gateway system in February. This implementation is expected to sig-nificantly reduce the time required to process long-term disability claims for individuals – including wounded warriors – as they move through the federal and private healthcare systems. Going forward, the NHIN will move into limited production during 2009 as federal agencies and Health Information Exchanges go live with NHIN, re-sulting in a true nationwide health-care information network.

With the loss of life resulting from medical errors and an economy buckling under the weight of run-

away health care costs, tools such as NHIN CONNECT exemplify the role that technology can play in redesigning the U.S. health care sys-tem as we seek to reduce costs, im-prove quality, empower our citizens and – ultimately – save lives.

“The Gateway system is transfor-mational,” says Dr. Harmon. “It has the potential to usher in a new era of health information sharing – one where our medical data is accessible no matter where we are or in which facility we receive treatment. It will be a valuable tool for saving lives and reducing costs by sharing and managing medical information.” ◆

The Gateway system has the potential to usher in a new era of health information sharing

By JOHN DANIELS

Thought Synch: Proof of Need for a Virtual Data Framework Vision

Evolvent thought leaders have written over the last couple of years about the current data rich health-care environment and how data continues to pile up despite orga-nizations’ best efforts to harness the power of those data for the benefit of patient care and business intelligence. We are in sync with others in the healthcare industry who have also written about this dilemma expressing from different vantage points a need for a solution. Our vision of a Virtual Data Frame-work (VDF) transcends current lit-erature on this dilemma offering a vision for resolution.

The Information- and knowledge-Intensive Healthcare Industry

My Evolvent colleagues and I, along with many other industry thought leaders, have discussed the healthcare industry’s adeptness at data collection, but we posit it is be-hind the power curve in effectively using its data. In a recent report from the National Research Coun-cil (NRC), the modern healthcare industry is described as “…an in-formation- and knowledge-inten-sive enterprise.”1 But the dilemma revolves around the industry’s

ability—or lack thereof—to trans-form these data into information and knowledge. An objective of the NRC study was to determine how computer science-based method-ologies and approaches might help towards a resolution. Although the researchers found some successful information technology (IT) im-plementations, they found even the most successful implementations fell short. Because of the transac-tional nature of our healthcare sys-tem, its IT systems do not effective-ly assimilate the data, information and knowledge necessary to provide optimal, situational appropriate care to me when I’m sick. Worse, these systems seem to do nothing proactive to prevent me from be-coming sick. It stands to reason, then, that the NRC report would describe a healthcare system where providers get lost amid all the data, tests, and monitoring equipment trying to understand my particular health status.

So how can IT be used to provide the cognitive support healthcare providers need? The NRC report offers excellent strategic suggestions and echoes what many of health-care’s thought leaders are saying, but it does not offer any potential tac-tical ideas. Evolvent’s VDF vision fills this tactical gap between where thought leaders are strategically try-ing to point organizations and the execution support organizations need to get there. A well-planned, well-developed, and deliberately executed VDF will help give health-care providers the transparent tools

25 | Evolvent Magazine

they need to develop a holistic pic-ture of each patient under their care, whether it is a reactive or a proactive (preventative) picture.

Health Information “Liquidity”

The Federation of American Hospitals and Booz Allen Hamil-ton collaborated on a White Paper that provided a strong case for the free flow of information.2 Although the paper’s focus was on health in-formation exchange (HIE) between organizations, the full benefits of inter-organizational HIE cannot be realized until each organization is able to achieve free flow of infor-mation internally. I agree with the idea that implementing electronic health records (EHR) is needed to help an organization move away from a paper-based system. How-ever, the White Paper suggests, we must move beyond a focus on EHR adoption to focusing on informa-tion flow and communication. I

agree and would take the thought a step further by stating we must move beyond a focus on IT adop-tion in general.

Implementing a VDF across an organization allows the organiza-tion to focus on outcomes. A VDF takes advantage of innovative IT products developed on approved IT standards that will help an orga-nization not only achieve internal business efficiencies and improved clinical quality and safety, it will better position the organization for sharing information within the Na-tional Health Information Network and help our country achieve its goal of having an electronic health record for every American by 2014.

National Performance Measurement Data Strategy

The Joint Commission ( JC) em-barked on a public policy initiative in 2001 with its mission being to improve the safety and quality of healthcare provided to the public. As part of this initiative, the JC published a white paper in 2008 to frame the issues associated with establishing a national performance measurement data system.3 I agree with the JC’s assessment that the current national infrastructure will not support such a system. Even if a national infrastructure was in place, most organizations are not ready to exchange information inside their own institution, much less out-side the institution in a standard-ized manner. The JC describes a situation where data are collected in fragmented ways resulting in an in-complete view of performance qual-ity for the organizations or individ-ual healthcare providers. The report

goes on to say IT “…could alleviate much of the burden associated with data collection as long as the systems have been designed with the requisite functionality to support performance measurement activities.”

A VDF would make use of the latest innovative technologies capable of pulling together and transforming these fragmented data – whether from EHR systems, PHR systems, registries, etc. – within the organization into information and knowledge to assist with measuring an organization’s own performance against national patient safety and quality standards. It will also facilitate an organization’s ability to transparently share its data with

a national performance measure-ment data system using a scalable and adaptable framework that easily allows for adjustments when new performance measurement re-porting requirements are developed and implemented across the health-care industry.

The Value of Healthcare Information Exchange and Interoperability

I believe the topmost focus on improving the nation’s healthcare system must be patient safety and the quality of care provided. How-ever, we cannot undervalue the impact improvements can have on the bottom line. One particular study published in a 2005 Health Affairs journal article indicated a potential savings of $77.8 billion per year across the industry if a na-tional health information exchange network were fully implemented.4 What does fully implemented HIE mean? The article described it

as, “…electronic data flow between providers (hospitals and medical group practices) and other providers, and between providers and five stake-holders with which they exchange information most commonly: inde-pendent laboratories, radiology cen-ters, pharmacies, payers, and public health departments.”

Because there are so many differ-ent entities with which an organiza-tion needs to share data, the effort and degree of complexity needed to establish independent interfaces is overwhelming. Implementing a VDF consisting of the right founda-tion – a service-oriented architec-ture (SOA) – and the right infor-mation management toolset would

Implementing a Virtual Data Framework across an organization allows the organization to focus on outcomes.

Volume I, 2009 | 26

provide a practically seamless and transparent solution to helping an organization realize some of these reported HIE savings.

Evolvent’s Vision: Virtual Data Framework (VDF)

There is no doubt multiple data collection and information manage-ment products have penetrated the commercial and federal healthcare markets, but have they really helped organizations juggle their multiple data sources to improve enterprise data reconciliation, sharing, access, and reuse?5 The recent industry re-ports referenced in this article have validated our thought leadership in this area by indicating the problem really does exist and urgently needs a solution. Our thought leaders are in sync with others in terms of pos-sessing a clear understanding of the industry’s information dilemma. However, we like to take things a step further to help our custom-ers put thoughts into practice, and developing a VDF vision reflects this ethos.

We have described our pursuit of a real business intelligence solution6 that provides a flexible, intuitive, and common view across multiple data sources (clinical and business), a solution that reduces the time it takes to integrate new data gather-ing modalities into the portfolio, a solution that provides real-time

information access to meet deci-sion support requirements, and

a solution that tactically and securely answers the ques-

tion “how” when

you read about the need for change in current healthcare industry information management prac-tices.7 We have described the need for a solution that uses the right mix of information management tools to effectively transform Data into Information into Knowledge and into Wisdom making the results accessible across the enterprise for truly informed clinical and busi-ness decisions and performance measurement – “…bringing the right information in the right format to the rightaction officer or decision-maker.” 8 We have also described the complexities of the tool selection process, which is further compli-cated by the lack of interoperabil-ity not only within organizations, but also between organizations and how this results in increased costs and propagation of organiza-tional inefficiencies such as Overuse of Labor, Incompatible Systems, Data Inaccessibility, and Complex-ity and Dysfunction.9

Consider closely our VDF vi-sion and how it could solve these interoperability and integration challenges. Put on your “critical thinker” cap and ask us the tough questions. We are known for our innovative thinking and have been engaged by multiple clients who are tired of the information man-agement status quo. Our nation is expecting an IT miracle as we are being rapidly propelled towards a national health information net-work. Evolvent has the right team of innovative industry thought leaders and subject matter experts, includ-

ing physicians and vendor partners to make a significant difference for the common good. Our VDF vi-sion is only one example of where we can make a difference. ◆

References: 1Computational Technology for Effec-tive Health Care: Immediate Steps and Strategic Directions; William W. Stead and Herbert S. lin, editors, Commit-tee on engaging the Computer Science Research Community in Health Care Informatics Computer Science and Tele-communications Board Division on engi-neering and Physical Sciences, The Na-tional Research Council of the National Academies; The National Academies Press, January 9, 2009

2Toward Health Information Liquidity: Realization of Better, More Efficient Care From the Free Flow of Information; S. Penfield, K.M. Anderson, M. Edmund, and m. Belanger, Booz Allen Hamilton White Paper, January 2009

3Health Care at the Crossroads: De-velopment of a National Performance measurement Data Strategy; The Joint Commission White Paper; 2008

4The Value of Health Care Information Exchange and Interoperability; J. Walk-er, e. Pan, D. Johnston, J. Adler-milstein, D. W. Bates, and B. middleton; Health Affairs – Web exclusive, The Policy Jour-nal of the Health Sphere, January 15, 2005

5A Virtual Data Framework Vision, J. Daniels, Advance for Health Information executives, Vol. 12, Issue 11, Page 37, November 1, 2008

6In Pursuit of Business Intelligence: The Virtual Data Network (VDN) Vision; Nisar Baig, evolvent magazine, Vol 1, 2008

7No IT solution will be the “magic bullet” until the industry agrees on interoper-ability standards and IT product vendors develop to those standards. evolvent understands this limitation and is com-mitted to helping its customers success-fully navigate these waters.

27 | Evolvent Magazine

Bringing the right information in the right format to the right action officer or decision-maker.

29 | Evolvent Magazine

Healthcare organizations imple-ment clinical healthcare information technology (HIT) to achieve simi-lar objectives: improve the quality of care, enhance patient safety, and eliminate inefficiencies in order to reduce the cost of care. Irrespective of the technology solution selected, however, implementing an expen-sive, comprehensive HIT system is nothing short of immensely dis-ruptive to any organization. Senior management teams stake hard-earned reputations on the successful deployment of these very complex technology platforms.

Failure not only wastes millions of dollars of scarce investment resources,

but it also poisons, for a period of time, the goodwill among clinicians needed to implement these critical information technology tools. A suc-cessful implementation starts with a comprehensive implementation plan that accounts for the needs and work-flow of physicians and other health-care providers.

As each organization has its own “personality,” it is important for se-nior management to draw from its deep well of administrative, manage-ment, and technical expertise to con-struct a unique plan that secures a suc-cessful project. As individual systems are seldom implemented in isolation, the chosen HIT applications must

complement each other and work to enhance the new workflow required by these core clinical IT systems.

The deployment of one system sig-nificantly impacts other systems as the information flow of healthcare embraces great complexity. For exam-ple, laboratory systems that direct the flow of information usually just fit the needs of information flow within the laboratory department rather than that of the clinicians who are using the information for patient care. Such dis-parate goals and supporting IT struc-tures exist throughout all clinical set-tings and must be overcome through clinical transformation to achieve a successful HIT deployment.

Clinical TransformationLeveraging Health IT to deliver safe, efficient care.

BY BArrY P. CHAIkEN, MD

Volume I, 2009 | 30

Just Building Interfaces Not Enough

Building interfaces that link the data from one system to another do not completely meet the needs of clinical information flow. The com-plexity of the data requires it to be exchanged with some level of con-text (e.g., laboratory ranges for a re-sult, time of result, previous results, alerts) to make it meaningful. For example, within EMRs the external data may trigger an event (e.g., clini-cal guideline remainder triggered by a mediation order – “check kid-ney function daily”). Therefore, all these systems, whether clinical or non-clinical require careful analysis to fully understand their relation-ship to each other. It is the quality of the designed workflow of the cli-nicians coupled with the capabili-ties of the HIT system that delivers the outcomes achieved. When well done the results can be outstanding. When done poorly, the results can be terrifying.

Below are some suggestions on what to think about both before, during, and after clinical HIT im-plementation. In addition, evalu-ation of an implementation does not end once the technical process is completed. Surveillance of results must continue for the life of the sys-tem in an effort to continually im-prove outcomes.

Current State Vs. Future State Implementation

Most organizations choose to minimize disruptions caused by HIT implementation by apply-ing new technology to the current state of how clinicians deliver care. Current state describes, through diagrams and descriptive text, what activities are presently done. Documentation of the current state comes from clinicians and staff, at

every level, who perform these ac-tivities and follow the workflow of the current state.

Processes and workflows are redesigned once the technol-ogy is installed. Organizations of-ten choose to implement before processes and workflows are re-vised for several reasons including: 1) Desire for a shorter length of time to go live, 2) Limited resources available to complete process rede-signs, and 3) Unclear links between potential redesigns and overarching organization objectives.

A few organizations, however, de-cide to reengineer clinical processes based upon their desired future state before implementing the system. Future state defines what the cur-rent processes and workflows would look like after relevant changes took place in those current processes and workflows. This is usually devel-oped with the involvement of those who participate in the current state (e.g., clinicians), experts in any new technology introduced, and trained professionals in quality improve-ment and process redesign.

Organizations that decide to uti-lize current state for implementation must study their current processes and understand the impact new HIT tools will have on those pro-cesses. In this instance, processes are not actively changed in anticipation of the new capabilities afforded by the HIT tools, but the new tools are used to facilitate current processes. For example, pharmacy orders that were formerly hand written are now generated by an order entry system and printed at the nurse station for delivery to the hospital pharmacy. There is no electronic transfer of drug orders to the pharmacy.

An alternative approach is to study existing processes but also creatively design new processes

that best leverage the capabilities of the HIT tools to deliver better processes, workflows, and outcomes. Un-fortunately, the development of these best processes and workflows cannot be universally applied across any healthcare organization. Each institution is different requiring documentation of current state and development of a best future state that considers the realities of plant, people and resources. Finally, an organization’s choice of either a current or future state implemen-tation is greatly driven by orga-nizational goals, administrative leadership and existing change management capabilities.

As implementation is disruptive to physician workflow, approaches that disrupt the physician work-flow through measurable changes just once encourage higher levels of physician adoption of those changes when compared to implementations that deliver step-wise workflow re-engineering. Therefore, fu-ture state implementations offer higher rates of overall physician adoption if an organization intends to include clinical process redesign in their plans for HIT system implementation.

Measure Both Clinical and Non-Clinical Outcomes

Change in workflow and process-es require continual monitoring of outcomes. This feedback loop allows for the evaluation of best practices and the implementation of neces-sary modification of processes and workflows to achieve organizational quality and cost targets. In addition, added features and functions of up-graded system applications may of-fer opportunities for improvement of outcomes. Only through con-tinual evaluation of outcomes and

31 | Evolvent Magazine

frequent analysis of processes can an organization take advantage of the opportunities presented by any new system capabilities.

It is important to align IT depart-ment goals with overall project goals. Due to their professional training, IT departments often become fo-cused on getting the hardware and software “right” rather than the en-tire project. Successful deployments are not measured by installation timelines, response times, or num-ber of working systems. Measure-ments for successful deployment of HIT systems must be linked to an organization’s specific patient care goals and objectives. These invari-

ably include quality of care, patient safety, and cost metrics.

Clinical departments may use medical error rates, clinician effi-ciency, and billing accuracy as their metrics. In parallel, IT departments may use percent of clinicians as users, user satisfaction, and average time using the system as surrogate metrics to measure success. The development of a comprehensive deployment plan that includes re-work of clinical processes and re-vised workflow driven by HIT, in addition to the obvious hardware installation activities, greatly in-creases the likelihood of securing expected outcomes from clinical HIT deployment.

practice patience To Achieve a Successful Implementation

Both healthcare organizations and vendors, excited about forging

ahead with a new system, often al-low their enthusiasm to overwhelm their professional judgment. In more rational moments, both know that extended and detailed plan-ning greatly increases the likelihood that a deployment ends successfully. Although physicians and nurses, after viewing a demonstration of a clinical system, may be wowed by its capabilities, organizations need to realize that live production sys-tems do not match the flexibility and response time of demonstration systems that are tweaked to deliver the best performance.

Budgeting a minimum of four to five months to plan a deployment is

both prudent and necessary. During this time information is collected to better understand how the HIT system fits into the existing technol-ogy infrastructure, physical plant, and most importantly, clinical pro-cesses. In addition to planning, this pre-implementation time can be used to stage the necessary equip-ment (e.g., computers, desks, elec-trical supply, etc.) while securing the additional IT services (e.g., data center for backup) to guarantee a reliable system. Lastly, when devel-oping an implementation timeline, consider all forces that may be driv-ing both your organization and the vendor at a particular speed down a deployment path.

Summary and recommendation

Without question, successful de-ployment of a clinical HIT system requires comprehensive planning,

exemplary team leadership, and organization-wide patience to coor-dinate all the people critical to the project. Nevertheless, establishing a project’s overriding goals and ob-jectives, and communicating those clearly to every person involved in the clinical HIT deployment, sets a meaningful direction for the project that can be followed by everyone.

Processes and workflows drive outcomes with or without HIT. Ir-respective whether these processes and workflows are redesigned before or after deployment to take advan-tage of the capabilities of an HIT system, the processes and workflows will require revision. Therefore, it is

recommended to include the revi-sion of clinical processes and work-flows in the pre-deployment plan-ning so that a major change process occurs only once rather than twice. Although this may extend the plan-ning period, it decreases any post-deployment rework of clinical pro-cesses and workflows. In addition, this approach will prove less confus-ing to the clinical users as they are required to only change their clini-cal habits once.

It is tempting to organizations to exclude the difficult task of revising clinical processes and workflows during the deployment planning and schedule it for the post-deploy-ment time period. Such a decision greatly increases the probability that this later revision will prove problematic or not even get done. Therefore, when implementing a clinical HIT system take a compre-hensive, visionary approach, care-

Successful deployment of HIT systems must be linked to an organization’s specific patient care goals and objectives

FURTHER READING

Chaiken BP. Revolutionary HIT: Cure for Insanity. Patient Safety and Quality Healthcare. 2007;4(6);10-11.

Chaiken BP. eyes Wide open: Buying Clinical IT. Patient Safety and Quality Healthcare. 2007;4(1):6-7.

Chaiken BP. Patient Flow: A Powerful Tool that Transforms Care. Patient Safety and Quality Healthcare. 2007;4(3):6-7.

Chaiken BP, Christian Ce, Johnson L. Quality and efficiency successes leveraging IT and new processes. Journal of Health Information Management. 2007;24(1):48-53.

Chaiken BP. Path Innovation: Transcending Automation. Patient Safety and Quality Healthcare. 2005;2(3):46-47.

Chaiken BP. Healthcare IT solu-tions. In K. H. Cohn and D. e. Hough (eds.), The Business of Healthcare, Vol. 3, Improving systems of care. p.119-141.

Praeger, Westport, CT.Chaiken BP. Business Intel-ligence: mining for Information. Patient Safety and Quality Healthcare. 2007;4(4):6-7.

fully plan the change management for revised processes and workflows, and stay focused on the overarching project goals and objectives linked to patient care. Only then can an organization achieve true clinical transformation. ◆

33 | Evolvent Magazine

In light of recent events across the United States involving informa-tion breaches which put Protected Health Information (PHI) and Personally Identifiable Information (PII) in the hands of those who would otherwise use the informa-tion for personal gain, public and private sector agencies struggle to put into place protective measures to stop the hemorrhaging. Evol-vent Technologies, Inc. has placed significant focus over the last nine years on leveraging technology en-abled business security processes to protect business intelligence.

This article will demonstrate an effective approach to information protection which will safeguard information and mitigate the likeli-hood of unauthorized disclosure of information. Through a clear un-derstanding of the threat and a tech-nology enabled process driven ap-proach available from Evolvent and our partner Fortify, organizations can achieve information protection. An Evolvent program termed the “Information Protection Project” focuses on information protection well beyond the traditional perim-eter approach commonly applied to

secure information. Our method is a structured ap-

proach to building a layered defense for protection of data. We under-stand the challenges of today’s in-terconnected global information environment, “a risk accepted by one, is shared by many.” Through a collaborative effort on everyone’s part – from the end user through the project sponsor – we can reach this information protection goal.

A best practices approach to in-formation protection should start with target research and develop-ment of protection systems that are adaptive and ubiquitous. Rigid system solutions are eventually by-passed, compromised, or trashed as the environment in which they must work evolves.

Some dynamic and innova-tive measures, taken by the realis-tic threat, demand of us a better science of understanding com-plex systems or, at minimum, tools for helping to understand their dynamic operation.

The ThreatTechnology enhancements have

enabled greater efficiency in our business processes. At the same time, we have increased our depen-dency on technology and thus our vulnerability. The threat of com-promised information systems in critical business operations poses an even greater threat to our busi-nesses. Technology has enabled

By Monty Nanton and Guy Sherburne

An Information Protection Strategy Beyond Perimeter Defenses

Volume I, 2009 | 34

attacks against our way of life from within our organizations and abroad. While purely perimeter based defenses have been somewhat effective, they have forced crimi-

nal elements to focus more on the internal vulnerabilities to reach their own personal goals. The in-ability of businesses to secure the very systems that they have become wholly dependent on could well be the catalyst that exploits this weak-ness. Information assurance is the application of controls to miti-gate the risk of exposure of our information systems.

An Information Protection Strategy

The information protection strat-egy encompasses an industry best practices layered defense. If you can envision your data as a three di-mensional ball with three rotation concentric circles of defense, then an understanding of the advantages of a layered defense should become clear. Where no single mechanism is infallible in protecting data, multiple mechanisms leverage the benefit of

synergy to protect data. If you review the diagram below, you can see the concentric circles of defense and the many components within the circle. This defensive posture

allows organizations to present a unique picture to the hacker at each attempt reducing their abil-ity to penetrate your organizational defenses while raising the risk of exposure by repeated attempts of extended duration. This layered defense creates significant risk to the attacker and thus eventually renders the attack unaffordable.

Our approach focuses on four key essentials to Information Protection: Security Investment Strategy Information Assurance Software Security Assurance Vulnerability Management

A Security Investment Strategy

If given one dollar to increase the protection of information for your enterprise, Evolvent recom-mends spending that dollar across five broad but important catego-

ries (see chart below). Spend the first fifteen cents on defining

the enterprise information protection policy. Em-

ployees and adminis-trators alike need to obtain a consistent understanding of the organization’s secu-rity policy to support and integrate those security goals with

business strategies. We recommend spend-

ing the next forty cents on

marketing to raise awareness of the information protection program by allocating twenty cents on mar-keting to the general users and the other twenty cents to market to

the information technology pro-fessionals in the organization’s IT shop. Evolvent’s Security Aware-ness process helps our clients re-duce overall security risk to their operation process by integrating security into people’s daily busi-ness decisions – motivating them to support and implement security criteria. We draw upon over thirty years of extensive experience in se-curity to create world-class aware-ness campaigns designed to meet government and corporate objec-tives and regulatory requirements. Our Security Awareness programs are designed for all employees, at any organizational level. Spend ten cents on defining what needs pro-tection and what your internal and external threats are to information protection. Understanding what data is critical and prioritizing the protection will lead to informed decisions about data protection in-vestments. And, understanding the data relationships and dependencies is needed to ensure recovery opera-tions can occur. A well-defined in-formation protection program takes all of these things into account and offers a measure of resiliency which guarantees that the information can be brought back on-line within the desired parameters leaving nothing to chance.

Spend the next twenty cents on technology. The IPP is a good fit here. An information protection system which uses role-based per-missions, coupled with hardware

An employee-base that is educated, understands, and aware of security issues becomes the supporting foundation for a successful corporate-wide program.

35 | Evolvent Magazine

encryption that is adaptive, truly exemplifies the models in which future network and data protec-tion systems will follow. Last, but certainly not least, spend fifteen cents on process improvement. Streamlined security business pro-cesses, which employ a life-cycle approach to security, not only end unnecessary redundancies, they also reduce points of vulnerability. Application system code reviews is a good example of this. These pro-cesses also facilitate the integration of information protection into the organization strategic planning pro-cess, thus aligning protection initia-tives in IT with the business goals of the organization.

Information AssuranceInformation Assurance involves

much more than integrity, availabil-ity, and confidentiality of data and more than protecting a computer information system. Information Assurance is a systematic approach to protecting an organization’s intellectual property.

Evolvent is a growth organization with an impressive track record of providing Information Assurance

products and services. We are spe-cialists in providing Information Assurance products and servic-es to government, commercial, and military agencies. We bring an unparalleled depth of expertise and resource in Information Assurance to pro-vide best value security prod-ucts and services for our clients.

Our approach to Information Assurance encompasses a continu-ous four phase life-cycle approach. This methodology, defines the ac-tivities, services, technology, and project management processes re-quired to assess and, provide blue-print for organizational success. The key activities involved in this approach align directly with the ac-cepted standard DoD, federal, and commercial approaches (DIACAP and NIST) and include: 1. ASSESS Focus on understand-

ing the design and readiness of: – Environment (systems, net-

works, applications, facilities, and personnel)

– Processes (policies and plans) – Related risks (internal, exter-

nal, and emerging)2. ADDRESS Include review of

policies, plans, evidentiary docu-

mentation, training, implemen-tation of countermeasures and architectures that address the risk associated with the organizations security posture.

3. TEST Ensure that the require-ments are executed in accordance with requirements and organiza-tional priorities (verification/vali-dation). The team can perform verification and validation assess-ments to ensure that the security protective measures perform as intended.

4. MONITOR, PLAN, AND im-prOVE Provide critical near and long-term guidance along with enhanced process and workflow, reducing risk, schedule and cost. Our information assurance pro-cess leverages our strength and the

hOW TO spENd a dOLLar ON iNFOrmaTiON prOTECTiON

CENTSCATEGORy OF

ExPENSEExPLANATION

15Information Protection

Spend 15¢ in nailing down the organization’s Information Pro-tection Policy.

40 Awareness20¢ to advertise the Information Protection Program to general users and the other 20¢ to educate IT professionals.

10Risk

Assessment

A secure organization must understand what assets to pro-tect, the internal and external threats and where the organiza-tions data is most vulnerable.

20 Technology encryption for data at rest, in-transit, remote access.

15 ProcessInformation Protection depends on management process and technology wizardry. ongoing lifecycle development can keep networks humming for years.

Volume I, 2009 | 36

strength of the organization we are supporting. This includes:

– A solid life-cycle methodology and approach

– Identification of risks and vulnerabilities

– Analysis of current or planned implementations against requirements

– Th e next steps that must be taken to support requirements

– Planning including detailed recommendations that are col-laboratively derived

Software Security Assurance

According to the January 2009 edition of the CERT Common Sense Guide to Prevention and De-tection of Insider Threats, 3rd Edi-tion – Version 3.1, forty-five percent of the 176 cases analyzed:

44% of cases involved IT sabotage

14% of cases involved theft or modification of information for financial gain

14% of cases involved theft or modification of information for business advantage

The report further stresses that “insider IT sabotage is a threat to any organization that relies on an IT infrastructure for its business, regardless of the size or complexity of the configuration.”

This is the face of the emerg-ing threat. As organizations have focused mainly on perimeter de-fenses, the threat has focused their attention inward. Potentially one of American organizations greatest threats is one to which we are giving little attention. The U.S., through the H1-B program, gives foreigners access to the most advanced com-ponents of America’s technology industry. An area specifically at risk is software design. Control of com-pilers is a key part of a secure process

for software development. There are several examples where perpe-trators, rogue software developers, have inserted trapdoors in financial software to later steal money unde-tected. This carefully orchestrated and planned attack has become more commonplace while our orga-nizational policies and government laws have remained behind.

A tested and proven methodol-ogy to address this risk is through Software Security Assurance (SSA). SSA is a complete end-to-end ap-proach for securing applications against the threat of cyber-attack. Software Quality Assurance ensures that software will function and SSA addresses the immediate challenge of removing vulnerabilities from operational applications and for the ongoing systemic challenge of producing secure software. It also ensures that all software - whether it is developed in-house, outsourced, or acquired from vendors, even the open source community - is in com-pliance with internal and external security mandates.

Organizations that have adopted comprehensive SSA programs have experienced a measurable reduc-tion of risk in existing applications and significant reductions in vul-nerability counts coming from new software releases and procurements. This process reduces the overall cost of ensuring information secu-rity throughout the organization. These reductions are realized from eliminating production vulnerabil-ity management costs and reducing dependency on manual external ap-plication assessments. Time to com-pliance is also accelerated.

The Fortify AdvantageFortify offers customized solu-

tions to build SSA programs based on a three-pillared approach rooted in Fortify’s three core competitive

competencies – the Fortify 360 Product Suite, a world-class Global Services division, and the cutting-edge Security Research Group. These three pillars are rooted in Fortify’s Framework*SSA, the in-stitutional knowledge, experience, and expertise harnessed from work-ing with over 500 customers on de-veloping their SSA programs.

Summary of BenefitsThe key benefits of developing an

SSA program with Fortify are: Measured Reduction of Risk Cost Effective

Data Protection Our Information Protection So-

lution also incorporates a specially developed hardware tool called Tactically Unbreakable COMSEC (TUC) for protecting data in transit and data at rest. TUC is a hardware device based on reprogrammable logic which allows the device to be fully adaptable to the changing en-vironment of cyber security. There are compelling advantages of using hardware rather than software for encryption – hardware does not in-troduce the latency associated with pure software encryption solutions.

Functional Requirements

Key management and crypto implementation makes systems far more secure than the average data-base driven key management pro-cedures of legacy encryption imple-mentations. The keys are randomly generated at session initialization. There are no keys stored in a data-base and subject to compromise by brute force attack. Our protection program can (at client request) le-

37 | Evolvent Magazine

verage existing authentication pro-cesses already in place at the client organization. Our implementation requires no infrastructure upgrade or increased cost for infrastructure adjustment of perimeter defense mechanisms. The data at rest capa-bilities exist for all removable media as well as encryption of the hard drive by file type, folder name, hard drive partition, or entire volume as required. The unique nature of our implementation makes the ex-ecution of this encryption scheme based wholly on business rules and requires no input by the user.

System Requirements Tactically Unbreakable COM-

SEC (TUC) is a multi-form factor capability based on Field Program-mable Gate Arrays (FPGA) which cannot be corrupted by attackers. This hardware nature offers the following advantages:

TUC cannot be corrupted or accessed by hackers

On-FPGA PowerPC, it is physically and programmati-cally isolated

All “Trusted Processor” pro-gramming, data and buffers isolated

Digital certificates and pub-lic/private keys are stored on Trusted Processor TUC module – totally physically isolated

Hackers cannot access or cor-rupt digital certificates or keys

– Used to validate/certify all key host software and data files

– Used to validate, encrypt and digitally sign all pro-tected files

Establishes a legal “Chain of Certification” which can be tested and proven

May be used as certification

for system software, data files and downloads

Every item digitally signed, encrypted, and run time veri-fied

During a protected communica-tion between TUC hardware de-vices, TUC automatically sets up a virtual private tunnel for passing en-crypted information. This process takes place during system initializa-tion without user intervention.

Interface RequirementsInterface issues with the TUC

hardware devices are non-existent. Because TUC operates at the data link layer of the OSI Model, it is ag-nostic to events at the application or presentation layer where interface requirements exist. TUC also oper-ates below the operating system lay-ers and thereby works with MAC 10.x, Microsoft Windows, industry standard internet browsers and Mi-crosoft Office applications. When leveraging current authentication capabilities, TUC becomes a two-factor authentication capability. The system is also interoperable with network appliances (VPN, Firewall, IPS/IDS) working at level 3 of the OSI model. TUC supports smart card readers and can be tailored to integrate in the boot sequence of a Microsoft workstation or server environment. The system will also integrate with a broad range of op-erating systems, tape drives, and back-up policy types.

Vulnerability and Com-pliance Management

The protection components, all of them, of any secure environment are not infallible over time. As the threat increases their capability, our protection systems need to be dynamic and capable of change to shore up new vulnerabilities that emerge with increased threat. Our

engineers perform vulnerability and attack and penetration assessments in internet, intranet and wireless environments for our clients. We also perform discovery and scan-ning for open ports and services, application penetration testing, and interact with the client as required throughout the engagement. Our teams provide reports document-ing discoveries during the engage-ment and debrief these discoveries to the client with mitigation rec-ommendations at the conclusion of each engagement. Our SMEs also provide FISMA program manage-ment and database maintenance and support for compliance man-agement. The entire effort resulted in success for our client with respect to ensuring data integrity, monitor-ing and fixing compliance, helping users and managers with correcting deficiencies, and compiling FISMA reports for submission to OMB and Congress.

EvASE™Along those same regulatory

lines, having recognized the need to manage vulnerabilities to an enter-prise protection strategy while add-ing value through helping federal organizations with FISMA report-ing, the Evolvent team developed the Evolvent Vulnerability Assess-ment Security Engine (EVASE™). EVASE™ is a FISMA compliant reporting tool that can be used by a wide range of personnel throughout the entire agency.

EVASE™ is a multi-functional, secure, web-based information as-surance and cyber security software package fully complemented by Evolvent’s cyber security consulting services. EVASE™ is intuitive for us-ers and requires minimal training to implement and use. The resulting functionality permits hierarchical user and management control of

data submissions; allows users to enter data as draft or works-in-prog-ress awaiting management approv-al; and permits management with the capability to review, edit, and submit FISMA related information to a higher headquarters while seg-menting data at lower echelons.

EVASE™ Tracker, a dynamic web-based vulnerability engine, up-loads ISS® and Harris Stat® vulner-ability scan results for managing, controlling, and tracking security vulnerabilities. Tracker can also be configured to manage vulnerabil-ity assessments from other manage-ment tools for mitigation tracking. Tracker allows managers to review hundreds of vulnerabilities by oper-ating system, host/IP, and severity. Managers can then assign resources to mitigate those vulnerabilities, assign completion dates, estimate labor costs, prioritize resources, and

track completion rates as individual system security improves.

EVASE™ Score adds even more. This web-based application allows clients to first create a database of their systems (system inven-tory) and then perform a FISMA- equivalent security self-assessment based on National Institute of Standards and Technology (NIST) standards. This is a critical capabil-ity in managing your IT environ-ment. Our experience with clients from public to private sector tells us that many organizations do not have accurate inventories of their computing environments.

EVASE™ optionally includes an integrated documentation control tool and form manager that uses any client’s forms (e.g. OMB M-04-25) to route among participants, assign-ment of input and review/approval tasks, and tracking the progress and

status at any organi-zational level. Reporting and output can be customized by the client to report by form or Microsoft office product, such as Word or Excel. This documentation control tool permits assignments of documents by individual or posi-tion, automatic email notification, and status reminders.

EVASE™ Scan combines Evol-vent’s cyber security consulting services with EVASE™ software tech-nology. This integration provides clients with efficient and cost-effec-tive information assurance services, to include vulnerability scanning and mitigation, certification and accreditation, Certificate of Net-worthiness applications, devel-opment and staffing of Network Security Operations Centers (NOSC), and general security services advisements. ◆

S E C U R E T E C H N O L O G y I N N O v AT I O N

EVOLVENT | SECurE TECHNOLOGY INNOVATION | WWW.EVOLVENT.COM