The use of hardware tokens for system access provides an important approach to assuring appropriate access. Digital signature cryptography methods are used ...
Nationwide Telecare for Diabetics: A Pilot Implementation of the HOLON Architecture Peter C. Jones1, Barry G. Silverman, PhD',2, Marcos Athanasoulis3, David Drucker4, Howard Goldberg, MD', John Marsh5, Cuong Nguyen', David Ravichandar, MS6, Larry Reis, MS7, David Rind, MD1, Charles Safran, MD, MS1 'Center for Clinical Computing, Beth Israel Deaconess Medical Center, Harvard Medical School, Boston, MA, 2George Washington University, Washington, DC, 3Windom Health Enterprises, Berkeley, CA, 4Meta Software, Cambridge, MA, 5Concept Five Technologies, Burlington, MA, 'Oracle Corporation, Washington, DC, 7Wizdom Systems, Chicago, IL METHODS
This paper presents results from a demonstration project ofnationwide exchange of health data for the home care of diabetic patients. A consortium of industry, academic, and health care partners has developed reusable middleware components integrated using the HOLON architecture. Engineering approaches for multi-organization systems development, lessons learned in developing layered object-oriented systems, security and confidentiality considerations, and functionality for nationwide telemedicine applications are discussed.
The project employed a structured scenario-based software engineering process illustrated in Figure 1. A health care scenario, centered on the care of a hypothetical elderly diabetic patient, was developed by clinicians who treat diabetics in clinical practice. Diabetes is one of many chronic diseases that account for a significant portion of national health care costs, and that can be managed by patient-directed lifestyle changes. While diabetes was our initial focus, the system architecture was designed to be generalizable to other clinical problems.
INTRODUCTION The application scenario was analyzed into a sequence of 31 processing steps, which were refined further into use case models using the Unified Modeling Language object-oriented analysis technique [1].
The Health Object Library ONline (HOLON) project seeks to address the growing need for multi-network health care applications that can serve the needs of increasingly mobile populations. Already, nonportable, heterogeneous patient data and isolated applications are becoming less tolerated in view of progress in health informatics standards, the information superhighway, and a proliferating set of access devices. Also, to meet cost and quality control concerns, and to address the increasing need to respond rapidly to changes in the health care delivery system, the HOLON project seeks to replace isolated development of legacy systems with an architecture that allows reuse of health care specific software components.
HOW
Sharing data among disparate institutions is a complex task. Each site may have different legacy systems, incompatible information models, different institutional vocabularies, and varying completeness of clinical information. The HOLON pilot project was conceived to provide a means for the virtual consolidation of the medical records at these heterogeneous institutions.
1091-8280/98/$5.00 © 1998 AMIA, Inc.
__
CM
Figure 1. HOLON implementation process
346
Use case models were reviewed with the HOLON system implementation team to identify software components and interactions. Class and object models were refined in design meetings including all consortium members to develop a data base design. Object message interactions were analyzed to form a component interaction design. This structured development process permitted several individual components to be designed and implemented in parallel. The HOLON design standards, data base design, messaging design, and iructure standards assured communication among the individual components. The implemented HOLON components were finally integration tested and connected to an HTML demonstration front end.
at the bottom right, and middleware connecting the two. Provided they conform to interfacing standards,
applications, legacy patient record systems (once wrapped) and other components can be plugged into this architecture to make use of its common object services. The HOLON middleware features a set of standards-based services and facilities vital to healthcare domains, as well as a set of mediator agents that support advanced, standards-compliant queries and manipulations of the library objects. The HOLON architecture is described in detail in a companion paper [2].
Testbed Network
,~~~IR Se0 c.,s ||
The HOLON pilot was implemented on dedicated hardware with hardware and software gateways to production clinical systems. The demonstration system was designed to test nationwide sharing of health care information, and incorporated five sites, at Boston, MA, Burlington, MA, Washington, DC, Chicago, IL, and San Francisco, CA. Web servers with appropriate firewall protection provided communication between sites using the HTTP and HOP Internet protocols.
l | & sidefiS
tniajs mat wati8tw i
I
98z _
oe ...
P yx
O
_
_40-
g~
N) INo IsI
Clinical applications were implemented on a network of four Windows NT servers. The Visigenic ORB provided CORBA-based management of distributed data base access. A clinical data repository was developed in Oracle version 8. Gateways were provided to hospital legacy systems both in M and in several relational data base management systems.
Figure 2. HOLON Architecture RESULTS The HOLON pilot was developed in three pilot builds, each build being a complete implementation of the structured development process. The first pilot build was a validation test which implemented a concise scenario of a patient who receives a reminder, upon reaching his 50th birthday, to contact his physician for a prostate exam [3]. This scenario validated communication among all the layers of the HOLON architecture in a simple clinical example.
The user interface was designed for a thin client, to maximize the potential user workstation configurations. The principal client target environment was a web browser, web-enabled email viewer, and a terminal stay-resident (TSR) alerter component that parses email and alerts users when high priority health items have arrived, running on a desktop PC, Network Computer, or Network PC. Both Netscape and Internet Explorer are supported. Interactive TV and beeper services are planned for future pilot deployments.
The second pilot build implemented a scenario in which a diabetic patient moves from Boston to San Francisco and subsequently enrolls in a Health Maintenance Organization [4]. The HMO requires as part of the enrollment process that the patient fill out an online health risk assessment. Upon identifying the patient as a diabetic, an alert is sent to the patient's primary care provider to schedule the patient for an
Software Architecture Figure 2 illustrates the HOLON architecture used to connect clients to information stores. Multiple clients are shown to the left of the figure, repository servers
347
initial visit. Clinicians are able to view both the selfreported data from the health risk assessment that resides in San Francisco and the clinical data that resides in Boston.
invisibly re-verify authentication before responding to additional requests for healthcare data.
To implement this pilot scenario, objects were developed that provide user authentication, patient identification, self-reporting of patient health data, exchange of data between different health care networks, access to multiple health care repositories, and a security architecture to assure patient confidentiality.
To allow users to query multiple hospitals simultaneously, we developed a mediator agent, called a "Consolidator", which processes user requests, dispatches them to multiple hospitals' site servers, and processes the information retrieved. The Consolidator interprets the incoming health care provider request, translates the request into an HL7 query, sends the query via the HTTP post method to each site server, receives the site server response, and consolidates the collected results into a single presentation.
Wide Area Access to Patient Data
Authorization and Authentication The authentication and security architecture implemented in the HOLON pilot is based on the CareWeb.m system [5], which builds on the W3/EMRS architecture for sharing of clinical implementation on the world wide web [6]. HOLON information servers operate behind the web servers of each hospital and create a link to the underlying legacy systems at each institution. These site servers interpret incoming HL7 requests for information, translate them into specific legacy system queries and package the resulting information into an HL7 response.
The Consolidator was written in Visual Basic as an OLE Automation Server called by Microsoft Internet Information Server's Active Server Pages. Consolidator HL7 messaging is performed by an HL7 ActiveX component. HTT? messaging is likewise handled by an HTTP ActiveX component. A clinician may view health status information selfreported by the patient alongside clinical data in the hospital's electronic patient record. The Consolidator sends an HL7 request including the patient identifying information to a Site Server developed by Wizdom Systems, which decodes the message and calls a CORBA object to retrieve the data. The object formats a JDBC/ODBC connection to an Oracle data base containing self-reported answers to the PlanetHealth health status questionnaire developed by Windom Health Enterprises. The answers are packaged into HL7 messages using the OBR segment and are returned to the Consolidator, which presents the responses to the user on a web page.
User authentication is provided by SecurID hardware tokens. These tokens are small, handheld devices containing microprocessors that calculate and display unpredictable codes. These codes change at a specified interval, typically 60 seconds. Our implementation requires that each user begin a session by entering a username, a memorized personal identification number (PIN) and the currently displayed password from the SecurID device. This information is transmitted to a security server which authenticates the user and verifies that the correct password was entered. The security server compares the user-entered password with its knowledge of what password should have been entered for that 60 second period. If the password does not match, it also checks the password from the previous 60 second period to account for delays in Once a password is typing and transmission. verified, the user is authenticated for the entire enterprise for the duration of the web session or 15 minutes, whichever is less. An encrypted security "cookie" is sent back to the user's browser and this cookie is automatically used for all future security dialogs [7]. Using Visual Basic Script and Microsoft's Active Server Pages, we dynamically decrypt the cookie within the web server and
Clinical Data Repository A clinical data repository was developed in Oracle 8 and populated with test data. The repository incorporates the data elements in the DEEDS data element standard developed by the Centers for Disease Control, and is structured to conform to the HL7 Reference Information Model.
DEEDS consists of 156 data elements separated into patient identification data, facility and practitioner data, payment data, arrival and assessment data, history and physical examination data, procedure and result data, medication data and disposition data. The HOLON pilot provides for exchange and display
348
of all DEEDS data elements, as well as additional data elements for self-reported health status information.
identifiers, physician and patient alerts, and patient diaries for self-reporting of glucose readings, diet, and exercise.
Security and Confidentiality
A uniform web-based patient user interface was developed by Meta Software to present the different capabilities available to patients. Links are provided to a risk assessment survey, diabetes monitoring agents, preventive and wellness advice agents, web links related to diabetes, and to personal support agents including to do lists, address books, a personal calendar, etc. The interface layer manages patient identification and login, and retains user characteristics such as the patient's principal clinical problems and preferences that allow the interface to be customized for each patient.
In March of 1997, the National Research Council (NRC) of the National Academy of Sciences concluded that the current practices at the majority of health care facilities in the United States are insufficient, and delineated both technical and organizational approaches to protecting electronic health information [8]. We incorporated all thirteen NRC recommendations into the security architecture
[9, 101. The use of hardware tokens for system access provides an important approach to assuring appropriate access. Digital signature cryptography methods are used for all network transmissions, ensuring the integrity of all health data delivered. Since possession of the hardware device authenticates the user, the SecurID token is used as the official electronic signature for "signing" all HOLON documents and audit trails.
A series of patient diaries was developed by George Washington University to facilitate reporting of selfcare information by diabetic patients. Diaries are implemented in Java servlets that invoke CORBA objects for data base storage and retrieval. The diary data base is linked to R2Do2 reminder agents [11] that alert the clinician to areas where the patient has fallen out of a personalized target range for such variables as weight and blood glucose. Work is underway to integrate these reminder agents with guidelines written in Arden syntax.
Nationwide sharing of data places new requirements on the auditing of data transmission. Security policies geared to the needs of single institutions, or even to integrated health networks, are not sufficient. The HOLON pilot incorporates a multi-institutional auditing system that provides patients with the details of the movement of their medical information, with audit records generated each time data is retrieved. The auditing query system has the same hardware token authentication and access controls as are required for any HOLON healthcare data request. Once authenticated, an auditor enters patient identification information and submits the information to an "Auditing Consolidator". This "Auditing Consolidator" uses secure, password protected Open Database Connectivity (ODBC) connections to query the audit trails of the individual hospitals. It produces a consolidated report showing all flows of information about the patient for all institutions.
Videoconferencing between a patient at home and an office-based clinician is supported by an Internetbased videoconferencing and document sharing capability developed by Concept Five Technologies. Clinical Workstation A set of clinician workstation web pages was developed following a standard format (figure 3). The patient's name, sex, and date of birth is displayed in a banner at the top of the screen. Clinical functions are displayed on the left, including risk assessment, order entry, problem list, medication list, results reporting, and patient diary. System options are displayed on a navigation bar at the bottom of the page, including a calendar, videoconferencing, patient lookup, and system logout.
Home Diabetic Care
Clinical functions are implemented using the HOLON architecture. A medication list function invokes a CORBA object that retrieves medications using JDBC from an Oracle 8 data base. A results reporting function uses a similar architecture to present laboratory test results. The problem list
The third HOLON pilot build incorporated additional functionality to support clinical care of diabetics, including web-based order entry of medications and laboratory tests, a problem list data base, lookup of UMLS problem terms and LOINC laboratory test
349
functionality is described further in a companion article [12]. JonHmonqss
___
an
i iME
ACKNOWLEDGEMENTS This project was funded by contract 1995-10-0067N, Health Object Library ON-line, from the National Institute of Standards and Technology.
WMH
References
H
,
..........f....................................
. . .e....... .
o.........................
Figure 3. Sample clinician workstation page Order entry allows clinicians to order medications and laboratory tests through the web-based interface. An order is considered to be composed of one or more "order items". To enter a new order item, the user first selects either "medication" or "lab test". For medications, the system provides a text-based search, including partial text mthnto the First Data Bank data base of more than 20,000 drugs. The user may select a drug by either generic or brand name. After the drug is selected, the system displays the available dosages, forms, and routes, and the clinician makes a selection using a hypertext link. Additional information including quantities to take, duration, and text comments, are entered using a form-style interface. For lab orders, the system provides a similar textbased search of the LOINC laboratory test data base. The system includes a personalized list of frequently used laboratory test terms that the clinician can select from in building the query. Upon completion, the system places the order in an Oracle 8 data base using a CORBA object.
CONCLUSION
1. Jacobson I, Ericsson M, Jacobson A. The Object Advantage:Business Process Reengineering with Object Technology. Addison-Wesley. 1995. 2. Silverman BG, Jones PC, Safran C, Reis L, Ravichandar D, Andonyadis C, Goldberg H, Marsh J. HOLON: Integrating Multiple Paradigms for the Health Information Infrastructure. AMIA 1998. 3. Silverman BG, Moidu K, Clemente BE, Reis L, Ravichandar D, Safran C. HOLON: A WebBased Framework for Fostering Guideline Applications. AMIA 1997. 374-8. 4. Jones PC, Halamka JD, Silverman GB, et al. Sharing Electronic Patient Records on the World Wide Web using the HOLON Architecture. MedInfo '98, forthcoming. 5. Halamka J, Rind D, Safran C. A WWW Implementation of National Recommendations for Protecting Electronic Health Information. JAMIA. 4(6):458-63. 1997. 6. Kohane I, van Wingerde FJ, Fackler JC, et al. Sharing Medical Records Across Multiple Heterogeneous and Competing Institutions. AMIA 1996. 608-612. 7. Schnieier H. Applied Cryptography. John Wiley and Sons. 1996. 8. For the Record: Protecting Electronic Health Information. National Research Council. National Academy Press. 1997. 9. Safran C, Rind D, et al. Protection of Confidentiality in the Computer-based Patient Record. MD Computing. 12(3). 1995. 10. Rind D, Kohane I, Szolovits P, Safran S, Chueh H, Bamett G. Maintaining the Confidentiality of Medical Records Shared over the Internet and World Wide Web. Annals of Internal Medicine. 127(2): 13841. 1997. 11. Silverman BG. Intelligent Agents. MD
Computing (forthcoming).
The HOLON architecture has been shown to provide a secure framework for integrating clinical applications developed by severa nationally distributed independent organizations.
12. Law V, Goldberg HS, Jones PC, Safran C. A Component-Based Problem List Subsystem for the HOLON Testbed. AMIA 1998.
350
