SF Archive
Internet Archive 
E-mail me

Copyright © 2002 John Zipperer unless indicated otherwise.

From and copyright by Internet World:

Business Lab
Military Health System Protects Patient Data

By John Zipperer

(10/01/02) Ensuring the privacy of the client data in your enterprise's systems is a matter of corporate integrity for most organizations, and it's a matter of simple public relations for a few. But for organizations in the health-care industry, it is a government mandate that the medical information in their possession is protected from misuse. That mandate holds even for health-care organizations that are themselves part of the government, such as the Military Health System (MHS), the Department of Defense's giant health-care organization with millions of beneficiaries circling the globe.

Luckily for the military, it had the advantage of a two-decade head start that has not only made its adoption of heavy new government regulations for medical privacy easier but is turning it into the 800-pound gorilla that establishes a standard for other health-care enterprises to meet.

With the passage of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, there began the arduous task of updating systems and developing standards for handling patient information in the digital age. The task hasn't yet been completed, and organizations such as MHS have a series of milestones to reach over the next couple years as parts of the HIPAA regulations phase in. Though this is requiring a great deal of work, the changes that are being required are not out of line with industry thinking on what's needed to improve security, privacy, and efficiency.

In fact, it's right in line with the development of the industry. A new Medical Records Institute report, Healthcare Documentation: A Report on Information Capture and Report Generation, focuses on the benefits gained from moving from manual to electronic documentation in the health-care industry. Though it focuses mainly on the data-creation end, where medical professionals create records that have to be shared with other professionals, it puts forward a set of principals that are necessary for professionals throughout the health-care value chain. It urges that patient information be properly identified across disparate systems, that the information be accurate and complete, up-to-date, accessible across different types of systems at any time and place, confidential, use secure authentication, and that it be auditable.

In general, HIPAA's goal is to make health-care provision a smoother process with better-lubricated movement of information between providers and patients, all the while ensuring that the data remains private and is not misused. (For more on HIPAA compliance issues, see the resources at www.hipaacomply.com.)

This article would be very different if it were written in Japan and taking a look at that country's massive new centralized database of citizen information. Fears over that data being mishandled has led to the unusual site of Japanese engaging in acts of civil disobedience in an attempt to keep their information out of the system.

The privacy of health-care data itself can be more important to people than even their credit information in some cases, because it can affect insurance payments as well as larger issues such as employment. So how did a huge part of the U.S. Government go about meeting the HIPAA requirements and keeping its beneficiaries' trust? The answer: It did it over the long term and with a careful, step-by-step approach using policies and technology that made sure that HIPAA is just the latest in its efforts to ensure efficient and private communication of patient data.

Getting Started
Part of the reason MHS has been able to incorporate its HIPAA work into its long-term flow of information security and privacy efforts is that the structure to manage the project is well established. As you would expect with a military organization, there's a clear hierarchy and assignment of duties. Kelly's senior executives include the MHS' chief executive officer and chief information officer. Because MHS provides medical services for three branches of the military — Army, Navy, and Air Force — there's a surgeon general representing each. (In addition, it provides health care for related services such as the Coast Guard.) Those three, along with the assistant secretary of defense for health affairs (who is also the MHS CEO), his principal deputy, other deputy assistant secretaries of defense, and the medical officer for the Joint Chiefs of Staff, form the Senior Military Medical Advisory Council, which is the main policy-making body for MHS.

When it comes to handling HIPAA and other electronic medical privacy matters, there are workgroups that make recommendations. Those recommendations go through the deputy surgeon generals and the MHS program executive officer for approval of funding and implementation. All policy issues are handled by the Senior Military Medical Advisory Council. Any medical privacy or electronic security issues have to comply with policies throughout the Department of Defense governing information assurance, privacy, and electronic security.

It might be hard to find someone who could understand the associated problems and the overall challenge better than Brian Kelly Besides holding the rank of captain in the Navy, where he has served for 19 years, he has a doctorate of medicine and an MBA, as well as training in bioengineering and information management. Not only is he a practicing neurologist and intensive-care medicine specialist, but he finds time to serve as an associate professor of neurology and medical informatics at the Uniformed Services University of the Health Sciences. He can draw on all of that expertise in his role as the director of e-business, policy, and standards for the Department of Defense (Health Affairs). Kelly is the man responsible for developing the strategy and implementation plan to bring the power of the Internet to the task of improving the health care for the 8.7 million beneficiaries in the Department of Defense. Therefore, HIPAA is part of his mandate.

The road that led him to where he is today began more than five years ago when he was trying to get an information system for the intensive-care unit at his hospital. That led to ever-larger involvement in such projects until he reached his current position two years ago, where he looks at "how are we going to use the Internet to strategically improve health care for the 8.7 million beneficiaries who use our system," he says.

He is responsible for ensuring that 80 central information systems — as well as other systems that are specific to the Army, Navy, or Air Force medical departments — involved in MHS are in compliance with HIPAA security and privacy rules. In his role, he looks for strategies to move all applications to a common service architecture, and the important factors that go into his planning are the need for secure communications, security of data, and privacy.

"DOD has always taken privacy and security very, very seriously," Kelly says. Back in 1974, DOD had its first medical privacy initiative, which covered electronic and paper-based medical data, as well as verbal communication. "Because of that, we have had policies and procedures in place to deal with privacy for a long time. Our HIPAA privacy implementation, though onerous in itself, has been easier" as a result.

"We also for many years have had a centralized DOD security accreditation process for all of our information systems," he continues. Any centrally managed system goes through this process, so it's subjected to tests for things such as secure databases and appropriate access controls on the systems. In addition, password protections and higher levels of security are used throughout.

As many enterprises have learned over the past couple years, systems that were designed to work securely in closed or disconnected architectures can present new challenges when they are connected to each other and to the Internet. The centerpiece of its HIPAA compliance is seen in the development of an online portal for its beneficiaries, called Tricare Online, which gives MHS an online platform to turn into a place where those beneficiaries could take care of needs such as making appointments, updating health-care enrollment when they change addresses, getting prescriptions refilled, or e-mailing their providers to request advice or medication refills.

"We've been working for about a year and a half on our health-care portal, Tricare Online, and the fundamental value premise is that we'd like to develop one single secure point of access for our beneficiaries to come in and access our health care services," Kelly says. By the time this article appears, Tricare Online should be available for about 90 facilities. April 2003 is the HIPAA compliance deadline for privacy regulations, and Kelly says the plan is to have Tricare at all MHS facilities by then — that's a global system of 76 hospitals, more than 400 clinics, and 400 dental clinics. Users will get information about using the privacy procedures in a mass mailing to all beneficiaries 18 years of age or older.

Internet-Based Scenario
The Tricare portal is hosted at a defense agency site in the United States, where it joins other mission-critical systems protected behind firewalls, three levels of uninterrupted power supply (UPS) backup, and more. So where does the military go when it's looking for someone to ensure military-level security for its systems?

With an initiative as mammoth as HIPAA compliance, there are a number of companies offering technological assistance. HIPAA is a natural point of entry or expansion into the large health-care industry. Several years ago Oracle Corp.'s unit serving the federal government began a strong expansion into the military health market; Siemens AG touts its HIPAA offerings online (see www.smed.com/hipaa); and IBM Corp. is offering up its usual battery of worldwide experts to help health-care companies manage their way through the HIPAA maze.

MHS decided to use a commercial best-of-breed product, and it went with a company known for its roots in government. "Our enterprise for the last several years has made a major investment in Oracle databases," says Kelly, so when it went looking for a portal vendor, it chose Oracle. The Redwood Shores, Calif.-based software company will also be providing single-sign-on capabilities, and it can support both client- and server-side public infrastructure that's compatible with DOD's PKI policy.

Oracle's ability to handle role-based security was a big attraction. "But more important — though this is not a current requirement in the sense that right now most of our systems are locally based at each of our major health-care facilities — many of our new initiatives will be using centralized databases," says Kelly. "As you move to centralized databases, the good news is that many, many people can access that information and do their job. It's very important to move to centralized databases, because the typical military serviceperson will move every three years." As a result, over time their data could be in seven or ten different systems. Not only is it more difficult for the patients and doctors to access such separated information for regular patient-care purposes, but the disparate databases make it difficult to do longitudinal database studies.

Because DOD wanted a platform that could rapidly bring into its enterprise new functionality and capability, it could get it from Oracle's platform, says Mark Johnson, group vice president for federal sales, Oracle Government, Education & Healthcare. MHS uses the Oracle9i platform. "What they have right now is not only our database and application server, but end-to-end security from their constituents over the Internet to the database," Johnson says.

Business Innovation
"To optimize health care, I'd like the doctors to see all the information on me as the patient wherever it is," Kelly says. "Once you begin to do that, the downside is that your security issues become more significant," because so many more people have legitimate access into the system.

Currently, MHS' centralized repositories are used not for point-of-service care but for doing aggregate data mining. It uses a data warehousing strategy, in which it basically does downloads from its core legacy systems — the composite health-care systems, of which it has 104 distributed around the world. That data is downloaded every night into the centralized systems.

MHS uses Oracle9i Real Application Cluster technology to meet its volume needs. Clustering refers to tying together multiple computers at a site so their processing power can be used as if it were one large computer. With more than 8 million beneficiaries, Real Application Cluster lets them get reliability and scalability. "Through consolidation it doesn't mean you have to have the largest server to handle your system, you can use clusters," says Johnson. Some customers will look to cluster many smaller servers, some will choose to have a few high-end large servers. But Johnson says the key theme is having a single logical database to run your operations.

"We have security that allows us to audit that small number of people and only give access privileges to the cadre of people who should be accessing that information," says Kelly. "As we move into our next generation, we would like to have access to the entire medical record of a person available to the provider taking care of that person at any time." He says the MHS' requirements for giving that wider access while at the same time protecting the patients' privacy in the centralized repository were that it be done in the most effective and secure way. He says you need role-based security, which MHS already had in its system.

You also clearly need policy that is enforced with penalties, as well as auditing to find the bad apples where you can. "We feel as we move forward, like every other health-care system in the United States, we are going to need to show due diligence of how we have provided security of information," he says.

And those needs led them to Oracle as a solution. "We feel they're very strong on security," says Kelly. "They allow us to do both role-based security, single sign-on security, as well as security at the database level that is quite fine-grained. There's certain information on these consolidated databases that is much more sensitive than others, such as HIV information or mental health information, and we need the capability to provide higher levels of security for these types of information."

With Oracle, MHS is able to restrict access at the database level. "There's always a balance between securing the information and allowing people ease of access to the information, and these are the types of issues we'll be dealing with," says Kelly.

Impact and Goals
The MHS takes several approaches to measuring return on investment. "We feel the there is a significant ROI long term in us moving certain expensive services to an Internet model," says Kelly. For a system that did more than 35 million appointments last year, as well as handling millions of claims and referrals, he believes MHS would also save millions of dollars if it could move even half of that activity online. "We also look at the fact that we very much would like to be able to improve the access of our beneficiaries to their providers so they can get more-timely and convenient help. You and I are very busy people, and for us to take time out to go visit a doctor for something that could be handled over e-mail, is not an efficient use of time."

"We feel that any successful health-care portal must first have the patients' trust that it will protect their privacy and secure their health-care information," Kelly says. "It is the right thing to do. In addition, when we look at ROI on our Internet initiatives, we feel there's a strong case for doing that. When we look at our strategy for taking a centralized approach to security," ROI is in not needing a PKI (public key infrastructure) solution for every disparate system. With centralized management and hosting, its application developers can look at security as a commodity that's provided as a service at a centralized location. Headcount reduction isn't the issue; more-effective usage of resources is. As a result, they can focus on writing the best pharmacy application or procuring the best applications from outside developers, thereby focusing on their core talents.

Complying with HIPAA regulations is not the end of the road for the Military Health System's privacy technology plans. It's just the first part of a move of more and more functionality online. MHS isn't the only one that will leverage its early action; its vendor hopes to increase its presence in the health-care field. Jim Palmisano, a senior account manager with Oracle Military Healthcare Programs, also knows the military from the inside. He was in the Air Force for 11 years — he is still in the reserves — and he served as a CIO in an Air Force hospital. He says the MHS is similar to other government health-care systems. "What we learn and what we do with Military Health System is going to be valuable for other health-care systems, there's no doubt about it," he says. "When you get down to it, providing health care for people--it's very similar."

And by being an early and eager adapter of HIPAA rules, MHS gets to help establish the standards to be used throughout the health-care world. Already, when it transfers information to non-MHS care providers, it holds them up to a high standard. HIPAA hasn't set those standards, it is basically saying there need to be accepted processes and procedures in place demonstrating the protection of the privacy of patient information and that patients will be notified. That's the privacy provision; under a HIPAA security rule that is still in draft form and won't be realized for a couple years, things such as encrypting information over the Internet and access controls will be required.

Kelly says his organization is going to meet the April 2003 deadline for compliance with the privacy part of HIPAA, and he believes he'll meet the rest of it too as it phases in. After all, says Kelly, with its head start in this arena, HIPAA is just the formalization on a national level of an approach to privacy and security "that we've been dealing with in the Military Health System for the last 20 years."

Driving Performance: Managed Supply Chain
Managed Supply Chain

Supply Chain Knowledge is the Answer

By John Zipperer

(09/01/02) Despite much bragging by companies that they now have a better view into their supply chains, a more-realistic picture is emerging of supply chains that are poorly understood, filled with data that is poorly or inadequately mined, and creating opportunities for your competitors to get the jump on you. Though 85 percent of 162 senior executives place a top priority on improving their supply chain performance, not even 10 percent of them properly track it, according to a survey by Bain and Co. called "Why Companies Flunk Supply-Chain 101." The survey found that only 7 percent are even collecting the right information to let them measure how well they are doing. Only one-third of the respondents track the performance of their supply chains beyond their enterprise boundaries—rather surprising, because the supply chain by definition is the extension of your business outside of its own corporate walls. These facts pose problems in the enterprise, and many companies have taken action to remedy them.

But here too, Bain sees a significant existing and growing gap between enterprises that do good jobs at analyzing their supply chains—such as Dell and Toyota—and those that are "average firms." In short, not enough companies receive supply chain data, and of those that do, they're not getting it throughout their supply chain. Add to that the related problem of integrating that data into their other systems, and you get a good sense of the challenge.

A Solution for BDI
Approaches to solving the problems Bain identifies may well depend on the technology investments you have already made. For example, if you are already a customer of SAP AG, you may be tempted to use that company's collaborative supply chain approach based on its mySAP Supply Chain Management solution. (This month, SAP is even producing a book on the subject called "Adapt or Die," which explores the company's belief in the need for flexible, adaptive supply chain relationships.)

Getting real supply chain information from outside your four walls is a real problem, agrees Steve Silverman, vice president of operation for BDI-Laguna, a distribution and fulfillment company based in Hackensack, N.J. "The bigger issue is that most people think they are getting information from outside their own four walls, but they're not. Someone sends me a tracking number, so I'm getting information from outside my four walls. But what is that tracking number? Is it monitored? Is it updated? What's it really doing for you?" He says the regular updating of that "outside" information is critical.

BDI-Laguna looks to supply chain management technology to give it a competitive edge. The fulfillment and distribution company outsources for electronics and computer manufacturers—dealing with everything from laptop computers to modem cards to DVD players—and is by definition in the supply chain, doing drop-ship fulfillment, inventorying and warehousing, and even managing online stores for manufacturers. It has a national infrastructure to handle all of that, including warehouses in New Jersey, California, and Georgia. Silverman summed up its mission by saying, "We really consider ourselves supply chain management partners to our manufacturers."

Handling everything from Web-based orders to warehousing and home delivery to serving as a manufacturer reseller (it handles Toshiba's reseller program, for example), BDI knows that its business works best with the swiftest flow of information between those various spots. "The name in our business is obviously inventory, how quickly and efficiently we turn that inventory, and how we maximize that inventory," says Silverman.

To handle its business-critical supply chain relationships, BDI turned to the V-Order Management suite from Vcommerce. Vcommerce, which has its roots in serving as an outsourced provider of fulfillment services for companies and connecting suppliers, uses that technological base and operational experience to offer products addressing the needs of supply chain and procurement executives. Silverman says the system's automation of information gathering and alerting, along with a colorful visual interface, makes the system easy to use. "For example, say we know we're short-shipped on a P.O.," he says. "Based on the business rules on the back end of V-Order Management, it may give us a yellow alert. But if we forecast that we're getting that, it'll give us a red alert."

"We're fixing the black-hole problem," says Steve DeFrancesco, product manager for Vcommerce. "Clients send out an order and it's just a big black hole and they never hear about it." He says users of V-Order Management will spend less time phoning and faxing their suppliers to learn the status of orders. "We've got a couple clients we're talking to now where they had a number of buyers who spent 80 percent of their day phoning and faxing and troubleshooting, trying to find out where things were," he says.

Vcommerce's V-Order Management has four prominent features: visibility, alerting/notification, KPI's (key performance indicators), and supplier score cards. The issue of visibility is the core one, of course, at least in the eyes of those executives concerned about the results of the Bain survey. Vcommerce lets you look into suppliers to check inventory level, view an item number to see who has it internally or externally, what items are at what locations, what has been acknowledged, what's been received, and more.

Getting that view into your suppliers doesn't require that they each purchase a Vcommerce package, however; only a data feed is needed, in which the suppliers make their information available to the Vcommerce system. There are varying levels of integration with them, ranging from a browser-based interface at the light end to the more-typical EDI feed, which gets integrated into V-Order Management. It also can take data that is in the XML language.

Silverman agrees that the integration was easy, with some of his manufacturers like Toshiba integrating into V-Order Management and smaller manufacturers using browser-based setups to feed data. "Vcommerce basically interviewed us and took all that information back to the vendors," he says. "There was no footprint that was required to be installed on a vendor's platform, so that was really easy. From my perspective, it wasn't very complicated."

Silverman wants to keep pushing. He currently uses Version 2.0 of V-Order Management, and he says he will definitely be upgrading to 2.1. The next move for him is to turn around the technology and push it out to his customers. He talks about having an extranet for the Toshiba resellers to log in and participate by forecasting sales and other activities. The goal is to let them do business with BDI with very little human intervention. "If we can accomplish that feat," he says, "we hopefully will have a strategic advantage."

Guidant Tackles the Information
Some companies are looking for a less-comprehensive approach, but one that is nonetheless critical to building efficient businesses. That was the case for medical technology developer Guidant Inc., which faced a changing market that placed pressure on its ability to manage its contracts without a constant addition of staff. With 2001 net sales of $2.7 billion and a couple thousand hospitals in the domestic market, the Indianapolis-based firm faced an increasingly complicated task of handling the information for all of its contracts and turning it around to give it the best deals. "We release new products every year, so our technology keeps evolving," says Jeff Swiecki, the manager of Guidant's e-business. "And that means we have to recontract pretty regularly."

Solutions that focus on the complex information-handling aspect of supply chain management are available from companies such as MindFlow Technologies or Model N Inc. MindFlow leverages analytics and supply chain management. Its Sourcing Suite analyzes current and historical spending, deals with RFQ and RFI bids and auctions, and measures the performance of a sourcing system. On the other hand, Model N focuses on pricing and contract management, and that was the pain point for Guidant.

Guidant turned to Model N earlier this year and is in the process of installing that company's application suite for handling pricing, contracts, compliance, and rebates. Though all of Guidant's 10,000 employees do not manage contracts, there was still the need to make sure that different users pulling up contract data used the same, updated information. Guidant's criteria was to get a system that was flexible, to keep up with the changing makeup of its customers and the changing technology of Guidant's products; it wanted something to cover the entire contract lifecycle, which is Model N's calling card.

Though he wouldn't give exact ROI figures, Swiecki says the company will measure the ROI over five years, and it doesn't expect much for the first year but plans to see the ROI grow incrementally over the following four years. Guidant is looking for specific successes to be measured in terms of reducing the cost of the process (by automating the manual processes, for example) and in increasing the profitability in the contracting by helping it establish the best contracting options for each customer.

Model N Expands Presence in Life Sciences Industry
Model N Expands Presence in Life Sciences Industry
By John Zipperer

(08/07/02) Finding time and money that is being wasted and eliminating that waste is a full-time job. In a white paper on pricing and contracting within the life sciences industry, Model N Inc. cites an Aberdeen Group claim that contracts govern almost 80 percent of business transactions, but that most companies fail to communicate and manage those contracts' terms. So, if everyone is doing it but most are doing it incorrectly, Model N sees a need for a solution that would help companies take the information they collect from their suppliers and use it in their ERP or CRM systems, but leverage it to make their contracts and pricing more effective.

Model N founder, chairman, and CEO Zack Rinat's previous role had been to head up the application server company NetDynamics, which was sold to Sun Microsystems in 1998. A year ago, he told Internet World that a lot of business-to-business applications had to struggle because they were teamed up with disparate other applications as well as platforms that weren't built specifically for them. The solution to that matter is at the heart of the Model N solution now being offered.

Today, sitting at a café in Silicon Valley, he says after his work at NetDynamics, "I really believed that the next area of competitive advantage would be connections [from enterprises] with the outside world." Rinat says he looked at the advantages and savings that Dell Computer Corp. gets from the way it collects money and that Wal-Mart Stores Inc. gets from the way it manages inventory. He wanted to take their approach, but, instead of developing proprietary technology, offer an off-the-shelf software solution. His strategy at Model N is to deliver a platform of server, tools, and applications for a complete approach to handling contract and pricing execution.

The broad range of offering was what attracted one recent new customer from one of Model N's target markets, the life sciences industry. Guidant, a medical technology manufacturer and seller with $2.7 billion in 2001 revenue, turned to Model N to bring together its pricing and contracting information. The goal of the project—currently being implemented, with completion estimated for the end of this year—is to shrink the time needed to execute contracts and improve the accuracy of the prices the company establishes.

Jeff Swiecki, Guidant's manager of e-business and the person who is heading up the Model N project at the company, says the growing complexity of the health-care marketplace and the continual rollout of new products creates lots of headaches in the contracting process. "We release new products every year, so our technology keeps evolving, so that means we have to recontract pretty regularly," he says, noting that it led to "operational difficulties on the contract front. We had a pretty manual process—a lot of little systems involved—a number of difficulties." Sweicki says that in addition to the broad offering of Model N, another strength of the solution was its flexibility, something he requires with a constantly changing marketplace and product mix.