3 Hardware and Mobile Device Selection and Security

Section 3.6 Select Hardware and Mobile Device Selection and Security

Use this tool to assist in determining the most appropriate hardware and mobile devices for your health information technology (HIT) applications.

Time needed: 8 hours Suggested prior tools: Section 1.7 EHR Technology Readiness Inventory, Section 1.8 HIE Technology Readiness Inventory

Introduction The physical hardware environment that is required to support your HIT investment is varied and diverse. It includes servers, switches, PCs, tablets, smart phones, bar code readers and many more hardware compents to numerous to mention. The technical environment is ever changing and rapidly evolving. Security of each hardware component needs to be addressed as you implement the hardware. Hardware of some sort will be required to access the information in your HIT applications. Familarity with the terms and some of the hardware that is required will prove essential as you proceed with your HIT project.

How to Use 1. Identify the types of hardware your electronic health record (EHR) and/or health information exchange (HIE) require you to acquire. Your selection of a straight license client/server product or an (application service provider) ASP/ (software as a service) SaaS model will determine whether you need to acquire servers and associated network devices. If you are acquiring servers you should obtain information from the vendor on minimum essential—as well as optimal—hardware configurations. It is important not to skimp on hardware or network connectivity, as it makes a big difference in the ability to use the system. Anything short of using the HIT at the point of care will introduce potential for errors and missed alerts that defeat the purpose of the HIT. 2. Compare input device capabilities to evaluate what is best for providing nursing home services. Differences are significant and directly impact use. It is also important to think ahead. If you have a migration path where you will be buying more basic components first, you do not want to limit the hardware to what will work for basic functionality; otherwise you soon may be faced with replacement costs. 3. Attempt to limit variation in input devices acquired or approved for use. Although one size does not necessarily fit all for input devices, a minimum amount of variation is recommended. Too many different devices, or even the same type of device from different manufacturers, can be costly to maintain. Parts are not interchangeable, documentation of system installation and maintenance differ, and upgrades come at varying times. This is especially important for small agencies with minimum IT staff. Despite that there is a trend toward permitting users to “bring your own device” (BYOD), the burden

Section 3 Select—Hardware and Mobile Device Selection and Security - 1 on a small organization and the risk that the device does not have the proper security are too great. 4. Test input devices. There are significant differences in input devices and how well they can be used in different types of environments. (See table below). While a thorough test cannot be performed without the actual application in place, a small number of different devices can be provided to different users early in the process of HIT planning. Allow nurses to use these to test routine email, Internet access, computer skills building, and even review vendor demonstrations. This not only helps evaluate the devices, but builds computer skills and helps end users evaluate how they will use the devices at the point of care.

Types of Devices: Stationary vs. Mobile Stationary Devices Mobile Devices Desktops • Notebooks/laptops  Require space for monitor, keyboard, • Tablets and system unit (if a thin client* is not • smart phones used) For notebooks/laptops, issues of: • Associated devices, such as • Weight navigational devices, speech • Heat recognition, power, security • Battery life For tablets, issues of: • Weight Notebooks/Laptops • Battery life (better than notebook/laptop)  Enable portability when necessary by • Processing power staff or to swap for use in the field For smart phones, issues of: • Size of screen  Requires extra precautions for • Battery life encrypting the data retained on the • Processing power device For all:  More expensive than desktops • Require wireless network, or downloading patient data for the day (if sufficient storage) • Require consideration for where to put the devices when not in use at the client’s home and when traveling. (See Security Considerations below.) Expense is variable Not all EHRs are designed to work optimally on a smart phone *A thin client refers to a computer with minimal or any local processing capability. As data are entered, they are sent to the server, processed, and returned to the user. Many EHRs used by skilled nursing facilitieswill likely run on thin clients. Some with highly sophisticated processing functionality may require a “thick client” (i.e., one with a system unit housing local processing capability).

Section 3 Select—Hardware and Mobile Device Selection and Security - 2 Speech/Handwriting Recognition Some clinicians prefer to handwrite or dictate. Speech recognition, except when used to issue voice commands to a structured data template (discrete reportable transcription, or DRT), does not generate discrete (or structured) data values. As a result, the computer cannot process the information into graphs or trend lines, or perform clinical decision support with the information dictated. You should be aware of these issues associated with speech recognition systems and plan carefully if they become a consideration in your HIT selection:  Speech is digitized and matched against coded dictionaries to recognize words. - Newer speech recognition systems accommodate continuous speech and almost no training - New systems are speaker-independent, requiring no training (although in some cases systems improve accuracy with use)  Speech recognition is improving in accuracy; however, commonly used terms rather than medical terms are where errors often occur. For example, next week may be spoken as “nexweek” which the system cannot understand.  Correction must be performed, either: - Retrospectively by an editor - Concurrently by the user  Speech recognition at the point of care may be a significant change for clinicians who are not accustomed to telling their clients what they are entering into their health records. However, if used to keep the client engaged while performing data entry, this feature can be very helpful.  Speech recognition is most successful in areas of health care that have a high degree of standardization/repetition and a small amount of content to be dictated.  Handwriting recognition (on a tablet) is a very similar process to speech recognition, although may require more system training. Newer tablets have the ability to select data from menus using a stylus or finger.

Bar Code/Radio Frequency Identification (RFID) The U.S. Food and Drug Administration required manufacturers to apply bar code labels for all human drug and biological products by April 26, 2006. Bar codes on packages of drugs have been used primarily for pharmaceutical inventory. More recently, they are being used in medication administration when patient wrist bands, nurse badges, and unit dose medications with bar codes are available. Bar codes are also being used to manage lab specimens. Radio frequency identification (RFID) is similar to bar code technology but does not require direct line-of-sight to read the codes. In health care, RFID tags are being used to track movement of clients—especially those with memory loss—and employees, expensive equipment, and narcotics.

Document Scanning Systems

Section 3 Select—Hardware and Mobile Device Selection and Security - 3 As the desire to become paperless becomes more ubiquitous, consideration may be given to acquiring an electronic document management system, which requires a scanner to scan documents. Small, portable scanners are available for occasional scanning.

Kiosk A kiosk is a computer, often built into a piece of furniture, with special software to support limited data entry via a card reader and/or touch selection. There may also be limited printing capability. (An example of a kiosk is at an airport ticket counter where you may touch the screen to enter your itinerary and a boarding pass can be generated.) Kiosks are becoming popular in hospital and physician office waiting rooms to identify arrival of a patient or family member, and to allow patients to enter their demographic data and history of present illness. Kiosks are also being used in health care for patient authorization or consent, where the client reviews a document, such as an authorization or consent form online and affixes a digitized signature (much like in the retail setting).

Security Considerations  On devices and media: Loss or theft of mobile devices is one of the biggest concerns in health care. A significant percentage of breaches reported to the federal government involve mobile devices with protected health information that has not been encrypted. Applying a password is not adequate. To reduce the likelihood that your skilled nursing facility could have a breach of privacy as a result of a lost or stolen mobile device, follow the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrul e/brguidance.html. This Web site also directs the reader to the National Institute of Standards and Technology (NIST) Special Publication 800- 111, Guide to Storage Encryption Technologies for End User Devices. It is essential that any device that is moved or can be moved be encrypted. The EHR vendor should be able to apply this technology for you so that the process is seamless to the end user. Be aware also that laptops and notebooks used in the office are still portable. These also should be encrypted. In fact, a best practice is to encrypt protected health information anywhere it is stored, whether on a desktop, mobile device, server, or backup media (e.g., tapes or disks).  During transmission: Encryption must also be applied to protected health information as it is transmitted. Helpful resources include: NIST Special Publications 800- 52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; NIST Special Publications 800-77 (for transmissions over the Web), Guide to IPsec VPNs (for transmissions over the Internet); and NIST Special Publications 800-113, Guide to SSL VPNs (for transmissions through a virtual private network [VPN]).

Section 3 Select—Hardware and Mobile Device Selection and Security - 4 Any organization providing health information exchange (HIE) should have specific requirements for securing transmissions. For more information, see Section 4.10 Using Direct for HIE and Section 4.11 Using CONNECT for HIE.

Section 3 Select—Hardware and Mobile Device Selection and Security - 5