Present: M. Balassone, T. Basler, F. Clark, K. Davis, B. Ellis, T. Higerd, S. Mixon, M.Schaffner, D. Shaw, D. Soper, J. Waller, P. Wamsley,
Absent: P. Cawley, L. Montgomery, M. Schmidt, M. Snook, J. Welton
Guests: Richard Gadsden, Mark Daniels, John Dell, Dave Moses, Joe Gough, Ben Rogers, Kurt Nendorf, Dave Dement, Reece Smith, Terry McKinney
Dr. Frank Clark opened the meeting at 0730. Minutes were approved as written. Please forward any corrections / changes to Melissa.
Information Security and IT Compliance Council (ISICC): Richard Gadsden and Reece Smith
Richard presented an overview of the new ISICC and their charter, focused on security and compliance. Functions are to provide guidance and oversight to information security program, ensure that policies and procedures cover the security mandates, and help to set priorities for security and compliance.
Key issues in security include: Enterprise risk assessment, development of an enterprise security plan, updating the policy framework, data protection, and incident response. Key compliance issues include: HIPAA security, HITECH, PCI data security standards, FIFITPA (SC data security protection act) e-Discovery, 21 CFR part 11 (research and clinical trials), LOA, HEOA (higher education opportunity act).
The council developed new procedures for device and media disposal, laptop encryption and secure email and are currently involved in a governance self-assessment project regarding how well we are doing with IT security in general. There has not been an initiative to compare these across other academic medical centers. Our risk management score was the lowest, confirming that having a formal risk assessment program probably needs to be our highest priority.
Immediate priorities are to complete a documented enterprise-wide risk assessment, and develop a written enterprise security plan. The group will be coming back to IMC with security policies and the enterprise security plan for review and approval.
Reece Smith commented that HITECH requirements to notify various individuals, the press, and HHS for any breach over 500 people heightens the need to do a comprehensive risk assessment. A short discussion ensued regarding laptop encryption and who should be using it. Kurt Nendorf will follow up with information about current utilization and licensing for laptop encryption.
Enterprise Data Warehouse (EDW) - Mark Daniels
Mark defined the enterprise data warehouse (EDW) as a repository of an organization's electronically stored (important) data. Data warehouses are designed to facilitate reporting and analysis. The intent for MUSC's EDW is to collect and aggregate all data of importance to MUSC in a single place - initially this will be clinical data, but will also include financial, HR, administrative, and academic in the future.
As of mid-December, all discrete data flowing into the eCareNet clinical data repository is also being loaded into the EDW. The data is refreshed every 24 hours at 6pm. The initial load ook about ten days to load seventeen years worth of data.
The reporting tool is drag and drop and very powerful. Dr. Cawley is assembling a group to evaluate how we can best maximize use of the EDW for quality assessment. Dr. Lanier is also heading up a group to review utilization of the EDW from a research / IRB perspective. Users are grouped based on their authorization to access various types of data.
Dr. Basler commented that they are currently amassing an academic data warehouse that should be able to be accessible to the EDW so that it can be linked rather than having individual silos of data.
Password encryption / Digital Signatures - Richard Gadsden
Dr. Schmidt alerted OCIO to a problem regarding a number of internal websites that require user authentication in that some were authenticating over an insecure connection (not SSL). Richard Gadsden worked with the owners of those sites to correct the authenticiation and initiated a search to find others that may be problematic, and several hundred have been identified. A project is being undertaken to get these sites corrected. A question was also raised about digital signatures. This issue has never percolated to the top of an enterprise wide priority list for cost vs. need. An enterprise infrastructure framework would be necessary to implement digital signatures and there is some cost involved.
HzERM Update - John Dell
John Dell gave an update on the Keane replacement project (Horizon Enterprise Revenue Management or HzERM). The system encompasses access services (admitting, census, tracking, bed management), revenue management (connection with payers, compliance, billing), and consumer Management (bill-pay, check-in, pre-registration). The contract was signed in March 2008 to purchase HzERM when the product was still under development. The product delivery schedule has been delayed and we will not be getting all the needed modules in time for us to go live with our intended date. Recently, it was decided that the project would be place on hold and we will review status again at the end of this year.
ER 10.1 Upgrade Status - Mark Daniels
We are currently enmeshed in a major upgrade with our McKesson clinical systems - Enterprise Release 10.1 (ER 10.1). The scheduled cutover is at the end of March, however a delay is possible of up to two weeks. We should have confirmation tomorrow. We have seven open issues that are critical or urgent and need to determine if these are showstopper issues. Moving to this release is essential to support the new revenue cycle system, but will also provide some additional functionality to end users. Mark also gave a quick overview of major rollouts planned over the rest of this calendar year. Dr. Soper asked for assurance that appropriate attention is being paid to integration of inpatient and outpatient data. Mark explained that the integration point is really the clinical data repository (CDR). In addition the medication reconciliation project will integrate meds and problem lists from Practice Partner into the CDR. Dr Soper advised that admission notes from Practice Partner also need to be integrated from Practice Partner and discharge summaries from inpatient stays need to go back to Practice Partner.
Power Outage Assessment - Kurt Nendorf
Kurt discussed the power outage that occurred on February 13 (the snow day) in Charleston. There is a static switch in the data center which comes in from SCE&G and the power goes into an uninterrupted power supply (UPS). If we lose street power, generators take over. The generators did not synch appropriately and caused battery drainage within the three UPS units. The static switch had a short in it and turned off both power feeds into the data center at 2:15 in the morning. However, multiple power outages started occurring around 9:30 that evening., which started the entire chain of events. Most all systems were back up by 10:30 am the following morning. The next step is to get a third party forensic review if the event and evaluate the possibility of new generators.
Asset Management System - Patrick Wamsley
Patrick introduced Terry McKinney and Dave Dement who gave a presentation on Asset Works. The need for such a system came through the FAIC via a request from CHP to purchase an asset management system. Assessment of the campus revealed 6-7 systems in use across campus. The FAIC recommended centralization on a single system, including components of work order systems, inventory management, space management. JCAHO has recommended that we proceed with purchasing the asset management system for the hospital. Hospital and University are trying to partner and find a solution that meets both university and hospital needs.
Current systems are old with limited functionality and need replacement. The system of interest is Asset Works, which has the capability to tie into other core enterprise systems. Asset Works has experience with higher education institutions and some hospitals. It is a complete web based solution. Goals are to reduce total cost of ownership and enhance response times and customer service. Preliminary cost estimates are $500K - roughly $1M once implementation services are added in. Dr. Clark asked that all associated costs are identified and that all other asset management systems on campus will be retired. All of those modules need to be evaluated to determine what will be implemented when. Dr. Higerd asked that space management be incorporated into the solution as well.
Academic Council Update: Dr. Darlene Shaw
Dr. Shaw provided a brief update on several areas:
The campus EAI portal was piloted in CHP and turned out to be a much more complicated project than expected. The committee has been retired and a succinct list of portal functions was created by Greg Fisher. A champion in another college is being sought to pilot the new portal.
An "Electronic Communications" group with representatives from each college has been established to evaluate and create guidelines for students particularly related to their use of social networking sites. The group has elected to create a list of do's and don'ts for students. The guidelines will reference existing policies at MUSC.
The Education Globalization Infrastructure Group (EGIG) chaired by Darlene Shaw with representatives from each college, evaluated all distance education-related proposals for ARRA funds. The group rank ordered the proposals and has submitted the list to Dr. Raymond for review and approval. The group has been retired.
A group composed of Education and Student Life and OCIO personnel has been formed to ensure MUSC's compliance with the Higher Education Opportunities Act P2P provisions. The act deals, in part, with informing students about copyright regulations as well as providing them with information about how to legally share peer-to-peer information including downloading music. MUSC must have these provisions in place by Summer 2010.
FAIC - Patrick Wamsley
Funds have been identified for this year's budget to purchase hardware to partially address PCI concerns, however, additional funding will be required to fully implement PCI compliance. We are working with SC.Gov regarding credit card acceptance. There is no timeline yet for rollout; reconciliation issues are being addressed and policies and procedures being developed. Stewart Mixon also advised the group that the annual survey for SSN use will be sent out in the next couple of weeks.
Other Clinical Updates - Melissa Forinash (for Dr. Schaffner)
Dr. Schaffner prepared a report from the Clinical Integration Information Council (CIIC) which was distributed to the council. This report will also be sent out with the minutes.
Next Meeting Date / Time:
There was no further business and the meeting adjourned at 0900. The next meeting will be held on Wednesday, June 9, 2010 in CSB Room 601.