CIO Interview: Helping patients feel secure in the waiting room and on the Web

In his dual role as CIO and programmer for CareGroup Healthcare System, Dr. John Halamka moved the organization's financial and medical information to a Web-based system. In this interview, Halamka discusses security measures he built for the site.

One of the most ambitious projects that Dr. John Halamka has directed as chief medical information officer of CareGroup Healthcare System has been moving the health care organization’s clinical and financial information from a client-server system to one that is Web-based. In this interview, Halamka discusses the importance of security in protecting patient information, the architecture involved, and his role as CIO.

TechRepublic: How do you safeguard patient information in your system? What kind of security do you employ?
Halamka: The security architecture is one that is recognized nationally as one of the best implementations. We received from InformationWeek a Best Practices Award for it. We use Secure ID for all our authentication, which means a password that changes every minute. We use 128-bit secure socket.

We audit everything, so we know every single thing that anyone has ever done on the portal. We know where they have been and what they saw. We use no caching structures, which means that no page that has anything to do with a patient or a doctor is ever stored by your Web browser. We have expired it. We have not cached it. We have done all of the things that are necessary so that the browser throws it away on arrival.

TechRepublic: As the CIO, why do you consider those measures important?
Well, because security is absolutely the showstopper. In health care, we put patient confidentiality as the absolute must in any system we design. Fundamentally, I will not roll out an application until it has bulletproof security.

If I told you I was going to put your health care information in a Web browser, you…want to be confident that we had used the equivalent of Department of Defense-type security measures. Certain things are not put on the Web: HIV test results and psychiatric notes, despite this incredible security architecture, are not accessible.

Concerning our infrastructure, 100 percent of our network is Cisco routers. We have a 10,000-square-foot data center that is only accessible via card key and has 24-hour staff and security cameras. We have 10 terabytes of EMC network storage, so every single bit of data in CareGroup is not just in an EMC array, which by its very nature is Raid-5-plus duplicated. We actually have mirrored EMC towers.

Our server infrastructure is set up using load-balanced Web servers with hot backups online, so you can literally pull out a hard disk, take down the EMC tower, turn off a server, and it all still works.
Last week’s first installment of our two-part interview with Dr. John Halamka discussed how he balances the role of physician and CIO and explains how he worked to move financial and patient information to the Web.
TechRepublic: What are some other components of your architecture? I know you use a database management system from InterSystems Corporation.
If we are going to be entirely Web focused, we want infrastructure that is really fast and scalable, because we get three million hits a month. That is important, because doctors are not the most patient people.

We consider two seconds' response time the absolute longest wait. The interesting thing about medical data is that it is not relational. That is, medical data is around a patient, and a patient has labs, and labs have values on given dates.

It turns out that medical data is actually stored as a hierarchy, where the patient is at the top of the hierarchy and the individual results are at the bottom of the hierarchy. It is not columns and rows where we traditionally think about the way that data is stored.

Cach� (a product of InterSystems) is a hierarchical database. It allows us to put in data and store it in just the way that medical data is produced…with the patient on the top and the results on the bottom. There is no column and row structure.

What this means for us from a scalability standpoint is that I can run 900 simultaneous users, doing 50 transactions a second, over 90 gigabytes of data and run it on a Pentium 400 box. Try doing that with Oracle. Oracle has its purpose if you want to say, "Gee, how many patients have we seen in the last 20 years that have a diagnosis of heart attack?" That is a relational kind of thing because there is a patient and diagnosis. Those are the columns. The rows are maybe the dates that they had their visits or whatever.

TechRepublic: Are you using XML or Java?
. All of the Web technology that we use is based on Microsoft platforms. We use NT, IS4, XML, and JavaScript. We do not use a lot of Java, however. We typically write most of our systems on the server side in Visual Basic Script, which is the standard way for generating Microsoft Web components.

TechRepublic: Do you find that people are receptive to the Web-based system?
Absolutely, because they never have to leave the Web browser to do their work. We have made everything accessible through that medium.

TechRepublic: What is your most difficult challenge? Is it technology, management, or business? Or does it change from day to day?
The biggest challenge is always effecting organizational change. The technology is never the challenge. It is the implementation of the technology. Once I have it out there, how do I get people to use it, learn it, change their business processes? We spend most of our time… in the organizational change piece.

TechRepublic: Do you feel that because of the increased importance of IT, CIOs have a larger role in companies and businesses?
Absolutely, because in fact, since IT systems touch every aspect of the organization, it turns out that IT is one of the most strategic assets of the health care system. I find myself constantly on the frontlines. I am not a creature of the backroom.

Basically, the role of CIO is a challenging one that requires you to balance the deeply technical knowledge, the process, organizational implementation issues, and in my case, the medical ones. It has literally required the very odd background that I have, as a doctor and a technologist. I have five degrees, from Stanford, Berkeley, UCSF, MIT, and Harvard. It requires that kind of synergy to really be effective.

TechRepublic: Do you see yourself in the CIO role for a long time, or do you see yourself moving to CEO? Do you think that CIO is a natural progression to the more traditional executive offices?
: The CIO role is so varied and so deep. I get to do a little bit of everything every day. I am actually quite happy with my capacity as CIO. I do a fair amount of work in the public interest. I am the chairman of the New England Health EDI Network. Therefore, I am able to bring together all of the insurance companies and all of the hospitals in the state of Massachusetts and build electronic gateways and interfaces among these groups.

Serving the public interest is also a great thing for me to do. I sit on the boards of several e-commerce companies. I am advisor to multiple companies. I get to—in a sense—play all of the best worlds: a little bit of the Internet start-up, a little bit of the public interest, a little bit of the not-for-profit. So that has kept me interested.
As the CIO of your enterprise, have you taken a clear-cut path to your current position, or did you make radical career changes to get where you are today? Let us know. Send us an e-mail or post a comment below.

Editor's Picks

Free Newsletters, In your Inbox