Title: Architecture, Networks and System
1Architecture, Networks and System
- Soumitra Sengupta, PhD
- Asst Clinical Professor, Dept of Biomedical
Informatics Information Security Officer,
NewYork-Presbyterian Hospital Information
Security Officer, Columbia University Medical
Center
2Overview
- Architectural Concepts
- Networking Concepts
- Systems
3Architectural Concepts
Organizational Goals
Requirements
influence
lead to
suggest new
Architecture
Systems
yield
4Architectural Concepts
Organizational Goals Become a Reference
laboratory service
Requirements Acquire Specimens Reduce
Errors Speed up result time Be Cost Effective
influence
lead to
suggest new
Architecture Distribution of Work Acquisition Tran
sportation Instrumentation Reporting
Systems Nursing Data collection, Containers Data
Entry, Pneumatic Tubes Instruments, maintenance,
staff Laboratory Information System Review of
data
yield
5Architects Job
- Understand Goals and Requirements
- Needs and Expectations, Business case
- Understand Prototyping, prioritization,
functional substitution - Create/Select architecture based on quality and
design considerations - Represent and CommunicateBudget and timeline,
functional view, data flow, etc. - Analyze and evaluate Use case, maintainability
- Implement and test Modules, performance,
interoperability - Independent of Computing !!
6Stakeholder Communication
- Different views about the problem and the
solution - Architect needs input from all stakeholders
- Developer/Integrator
- Development organization/Seller
- Buyer
- Customer/end user
- Implementer
- Operations
- Maintenance staff
7Information systems architectural structures
- How and what to communicate?
- Modules - Work assignment, phasing
- Conceptual - Functions, correct behavior
- Process - Programs, performance, human
- Physical - Hardware, delivery framework
- Uses - Program and system dependency
- Calls - modules/subroutines, distributed
messaging, client-server - Data flow - Functional flow of information
- Control flow - System states, flowcharts
- Classes - Object-oriented design
8IAIMS Architecture (Modular View)
9Success Criteria for an Architecture
- Quality Attributes
- System
- Business
- Criteria
- Observable at the development site
- Observable via execution at the customer site
- Quantitative/Qualitative
10Success Criteria for an Architecture
- System Quality Attributes Observable at
development end - Development expenses and time
- Ease of development
- Testability
- Modifiability
- Portability
- Reusability
11Success Criteria for an Architecture
- System Quality Attributes Observable at customer
end - Performance (Sluggish Slows down at 2 PM)
- Functionality (Does it do X?)
- Correctness (Sometimes!)
- Completeness (Partially!)
- Reliability (Why is it not working?)
- Availability (Your cable is disconnected!)
- Security (Please use a password longer than 3
letters!)
12Success Criteria for an Architecture
- System Quality Attributes Observable at customer
end - Usability (More on this in Cognitive/HCI
sections) - Learnability
- Efficiency
- Memorability
- Error Avoidance
- Error Handling
- Modifiability (What does it cost to add X?)
- Ability to Integrate (How well does it fit
institutional standards?) - Flexibility (How well does it adapt with
changes?)
13Success Criteria for an Architecture
- Business Quality Attributes
- Time to market
- Target market
- Projected lifetime of the system
- Rollout schedule/Project plan execution
- ROI
- Maintenance/Operational Costs
14Architecture Homilies
- Gain high level but complete picture about
business processes and technology solutions - Know the past, Master the present, Peer ahead to
the future - Present facts demand facts, Practice
evidence-based computing - Think institutional, but remember to sweat the
details - Adapt, because technology moves fast
- Communicate, because people remain the same
- There is no perfection, so consider all pros and
cons
15Overview
- Architectural Concepts
- Networking Concepts
- Systems
16Networks
- Communication infrastructure
- Enabling technology (with Personal Computing)
- Speed
- Internet
- Wireless
- Convergence
- Voice
- Devices
- Security
17Layered Networks
Useful pieces of code (message)
7. Application
ASCII ? EBCDIC data conversion
6. Presentation
None (IP) Logical Units (IBM)
5. Session
UDP, TCP (IP) (segment)
4. Transport
Internet Protocol (IP), SNA (IBM), AppleTalk,
Novell IPX (x) (datagram, packet)
3. Network
Ethernet, 802.11, PPTP, T1, Frame Relay LAN/WAN
(frames, packet)
2. Link
18Layers, Services, Protocols
19(No Transcript)
20Physical Layer (EIA 569-A)
21Physical Layer
- Issues
- COST (Labor)
- Cabling standard and types
- Category 3, 4, 5 Copper (16MHz, 20MHz, 100MHz)
- Multi-Mode, Single-Mode Fiber (GHz, distance)
- Competency (kinks, terminations, workmanship)
- Reliability (HVAC, mess-up factor)
- Flexibility (Topology reconfiguration - Star)
22Data Link Layer
- IEEE Standard
- Two sub-layers
- Logical Link Layer (802.2) and
- Media Access Layer (802.3, 802.11)
- Each Link Interface gets a Media Access Control
(MAC) aka Ethernet Address - 6 Bytes long
- Globally Unique 00096b (IBM), 00007d (Sun)
23Data Link Layer
- Topology
- Bus (Ethernet Carrier Sense Multiple Access
/Collision Detect), - Ring (Token Passing),
- Hierarchy
24Data Link Layer
W/S
- Switches are multi-port link layer devices
connecting workstations and switches - No collisions better speed
- Organized hierarchically
- Uplink Gigabit downstream 100/10 Mbps
- Fits Star topology
Flr Sw
W/S
W/S
W/S
Flr Sw
Flr Sw
Bldg Sw
Bldg Sw
Core Sw
25Network Layer
- Problem in connecting multiple workstations
- LAN / Link technology
- Speed variation
- Frame size variation
- Network layer addresses global communication
- Logical Addressing Layer 3 address (IP
156.111.60.150) - World-wide Routing Optimal paths (using
Routers) - Fragmentation and reassembly, Error Handling
- Internet Protocol (IP) is Connection-less Best
delivery
26Transport Layer
- Transport layer offers different levels of
reliability - Program Level Addressing
- (Ports 21, 23, 25, 80, 443, 1214, 3389, etc.)
- Universal Datagram Protocol (UDP) Best-effort
delivery, no guarantees - Domain Name Service (DNS)
- Simple Network Management Protocol (SNMP)
- Transmission Control Protocol (TCP) Guaranteed
delivery, ordered segments, no duplicates - Hypertext Transport Protocol
- Telnet
27TCP/IP Routers
- Routers connect disparate Link layer technologies
to route IP packets - Construct Enterprise backbone as well as the
Internet - Issues Performance, Redundancy, Security, Cost
- Merged with switches (Switch Routers)
- Improved efficiencies, speed
- Better control and manageability (Virtual LAN
technology)
28Network Design
Dual-homed FloorSwitch-Routers
Server Farm
Server
Server
Dual-Homed BuildingSwitch-Routers
Redundant Backbone Core Switch-Routers
WAN Locations
Internet
29Application Layer
- Naming Services
- Domain Name Service (DNS)
- Lightweight Directory Access Protocol (LDAP)
- Yellow Pages - Network Information Services
(NIS) - File and Print Services
- Network File Services (NFS), Server Message
Blocks (SMB) / WinFS, Apple File Share - Internet Printing Protocol (IPP)
- Terminal / GUI / file transfer services
- Telnet, FTP, SSH, SCP
- Email SMTP, IMAP, POP
- Web HTTP
- Domain specific Applications
30NYSERnet Manhattan Dark Fiber Project NYP,
Columbia
31NYSERNet Lower Manhattan
32NYSERNet Upper Manhattan
33Overview
- Architectural Concepts
- Networking Concepts
- Systems
34World Wide Web
- Derived from gopher, WAIS, SGML, Apple
Hyperlink, MIME, Public and Private Key
cryptography, NeXTStep, etc. - Features
- Links (URL, Ability to leverage independent
publishers, functionality) - Multimedia (text, graphics, audio, video, forms,
etc. - functionality) - Platform independent rendition (flexibility,
simplicity) - Mark Up Language (HTML, XML, ASCII/Unicode,
simplicity) - Dynamic computing (Common Gateway Interface,
Javascript, Applets, Servlets, Extensibility) - Security (Authentication, SSL Encryption)
- MIME-type Plug-in (extensibility)
- And it continues to grow (Web Services)
- http//www.boutell.com/newfaq/definitions/
35World Wide Web - HTTP
- telnet io.dbmi.columbia.edu 80
- Trying...
- Connected to io.dmi.columbia.edu.
- Escape character is ''.
- GET / HTTP/1.0 (ltenter twicegt)
- HTTP/1.1 200 OK
- Date Tue, 29 Mar 2005 162402 GMT
- Server Apache/2.0.46 (Unix) mod_ssl/2.0.46
OpenSSL/0.9.7b mod_jk/1.2.1 PHP/4.3.3 - Last-Modified Tue, 22 Mar 2005 155049 GMT
- ETag "f77-21e0-cefaa840"
- Accept-Ranges bytes
- Content-Length 8672
- Connection close
- Content-Type text/html charsetISO-8859-1
- ltHTMLgt
- ..
- lt/HTMLgt
- Connection closed.
36World Wide Web - Naming
- Uniform Resource Locator (URL)/ Web Address
- Protocol http, https, ftp, file, mailto
- Name www.dbmi.columbia.edu (or IP address)
- Optional port number www.dbmi.columbia.edu80
- Path /educ/curriculum/curriculum.html
- Other possible protocols with different meanings
of path
37World Wide Web - CGI
38Computing Models
- Not Client-Server
- Hardwired, unshared cable
- Dumb terminals, limited or no graphics
- Client-Server
- Simple Clients
- Efficient, very useful, no graphics
- Terminal Emulation (Telnet, ssh), FTP
- SMTP (Email)
- Apple Print
39Computing Models
- Graphics based Client-Server
- Graphics in Client to exploit client power
- Heavy in networking load
- X Windows
- Citrix, Windows RDP
- Fat Client
- Adding significant logic to Clients
- Version problem
- Client power problem
- Many applications
- Windows Version 3
40Computing Models
- Thin Client Model
- Graphics in Client with little logic
- Markup Language
- Web, Citrix
- Uniformity across clients
- 3-Tier Client-Server
- Thin Client access from the workstation
- Fat Client access from the intermediate
application server - Database in the back server
- Web-Services model
- Using standard markup language (XML)
- Using standard protocols (Web Services, derived
from HTTP)
41Data Processing
- Online Transaction Processing (OLTP)
- Lightweight processing
- High volume during work hours
- Network intensive
- Enterprise class systems
- Batch reporting
- Heavy database access
- Month-End, Year-End Processing
- Web-based distribution
42Data Processing
- Online Analytic Processing (OLAP)/ Decision
Support Systems (DSS) - Intermediate-term (hourly, daily) views
- Dynamic, multi-dimensional views (Slice and Dice)
- Replicated data into OLAP tools (Business
Intelligence Systems) - Needs data from multiple sources
- Time requirement is Semi-Real Time
- Alerting
43Data Processing
ProductionDatabases
Replicate
Enterprise Repository/ Data Warehouse
Query
Distribute
WorkgroupDatamarts
Query
Replicate
Query
PersonalMobileDatamarts
44Patient Data
ADT
Handling
Warehouse
Translation
Lab
Routing
Monitoring
Rad
Access
Workstation
ICU
Repository
DAMs
Pharm
MLMs, Rules
Destinations
MED, Tables
Billing
HL7, formats
45Patient Data Exchange
- Message Handling
- What are the messages, and how are they
structured? How are they communicated? - ANSI Health Level 7 standard
- Non-standard, institutional data unit structure
local client-server comm. - Choice of underlying communication
- Program based Sockets, RPC
- Files over FTP, SFTP, file sharing drives
- Message Aggregation Format
- Multiple HL7 messages in a file (batch billing)
or single HL7 Message in a file (EKG images)
46Patient Data
ADT
Handling
Warehouse
Translation
Lab
Routing
Monitoring
Rad
Access
Workstation
ICU
Repository
DAMs
Pharm
MLMs, Rules
Destinations
MED, Tables
Billing
HL7, formats
47Patient Data Exchange
- Translation
- Semantic Conversion of codes
- Use of Translation tables
- Maintenance problem
- Medical Entities Dictionary
- Holder of medical entities and their semantic
relationships - Auto-generation of Translation tables from the
MED - Also, many other benefits
48Patient Data
ADT
Handling
Warehouse
Translation
Lab
Routing
Monitoring
Rad
Access
Workstation
ICU
Repository
DAMs
Pharm
MLMs, Rules
Destinations
MED, Tables
Billing
HL7, formats
49Patient Data Exchange
- Message Routing
- Many applications need the same data (ADT)
- The logic for appropriate data items to be
replicated and routed to the correct destinations - A store-and-forward queuing mechanism
- Handle failures gracefully
- Maintain order of messages
- Performance statistics
50Patient Data
ADT
Handling
Warehouse
Translation
Lab
Routing
Monitoring
Rad
Access
Workstation
ICU
Repository
DAMs
Pharm
MLMs, Rules
Destinations
MED, Tables
Billing
HL7, formats
51Patient Data Exchange
- Event Monitoring
- Messages represent Events
- Events may be monitored for clinical alerting
- Hard-coded rules, Medical Logic Modules (MLM)
- Delivery and storage of alerts are interesting
problems
52Patient Data
ADT
Handling
Warehouse
Translation
Lab
Routing
Monitoring
Rad
Access
Workstation
ICU
Repository
DAMs
Pharm
MLMs, Rules
Destinations
MED, Tables
Billing
HL7, formats
53Patient Data Exchange
- Access Layer
- Software modules for specific functions
- Clinical repository functions
- Alert rules database function
- Data Access Modules
- A layer that permits database independence
- All DB related structures reside in this layer
54Patient Data
ADT
Handling
Warehouse
Translation
Lab
Routing
Monitoring
Rad
Access
Workstation
ICU
Repository
DAMs
InterfaceEngine
Pharm
MLMs, Rules
Destinations
MED, Tables
Billing
HL7, formats
55Health Care Middleware
- Medical Entities Dictionary
- Interface Engines
- And other health communication engines
- DICOM Brokers
- Fax Brokers
- Master Patient Index
- Credentialing system
- Health event monitoring and alerting system
56Health Care Applications
- Enterprise systems
- Registration, Billing
- HR, Materials, Gen Ledger, Payroll, etc.
- Repositories (Inpatient, Outpatient)
- PACS
- Ancillary systems
- Lab, Rad, Path, etc.
- Devices and Modalities
- Point Of Service
- Diagnostic and Interventional devices
- Drug or material dispensing devices
- Monitoring devices, (cameras, HVAC sensors)
57- NYP CU WC Relationship picture
58CUMC Health Care Systems
Web Browser Javascript
SunOne Web Server
IBM Mainframe CICS TPS DB2 database
CGI Programs (C)
2
HTTPS
SunOne Directory Server (LDAP)
Sockets Proprietary
MED Replica (Shmed)
1
2
59CUMC Health Care Systems
Web Browser Javascript
SunOne Web Server
IBM Mainframe CICS TPS DB2 database
CGI Programs (C)
HTTPS
EKG Tracing Image Database
Sockets Proprietary
Reports
Images
Interface Engine
GE EKG System (MUSE)
60CUMC Health Care Systems
Web Browser Javascript
SunOne Web Server
IBM Mainframe CICS TPS DB2 database
CGI Programs (C)
HTTPS
Sockets Proprietary
HL7
DB Replication
Interface Engine
Vigilence Alerting System (Monitoring)
HL7
61CUMC Health Care Systems
Web Browser Javascript
SunOne Web Server
IBM Mainframe CICS TPS DB2 database
CGI Programs (C)
HTTPS
MED Replica (Shmed)
Sockets Proprietary
SFTP
Interface Engine
Jim Ciminos PC MED
MED Distribution Server
62CUMC Health Care Systems
SunOne Web Server
IBM Mainframe CICS TPS DB2 database
CGI Programs (C)
Web Browser Javascript
SunOne Directory Server (LDAP)
HTTPS
Sockets Proprietary
Lab, Rad, Many others
Citrix Client
Authentication
Orders
Citrix ICA
Interface Engine
Eclipsys XA Order Entry (.com/.net)
Citrix Server
Lab, Rad, Pharmacy Results
63Health Care Systems
IBM Mainframe CICS TPS DB2 database
Eclipsys SCC East campus
Interface Engine
DB2 Replication
Unix Warehouse Sybase database Research queries
Business Intelligence Systems
TIBCO
64Electronic Master Patient Index
Eagle Registration System (East)
Eagle Registration System (West)
Interface Engine
ADT
ADT
EMPI Database
ADT
IDX Registration System (Univ)
Registration System M Hosp
Registration System Q Hosp
Query
Registration Workstation
Etc..
65Overview
- Architectural Concepts
- Networking Concepts
- Systems (Security)
66Concepts of Info Security
- Protect Electronic Protected Health Information
(EPHI) - Confidentiality
- Prevent unauthorized access or release of EPHI
- Prevent abuse of access
- Integrity
- Prevent unauthorized changes to EPHI
- Availability
- Prevent service disruption due to malicious or
accidental actions, or natural disasters.
67Concepts of Info Security
- There are NO perfectly secure information systems
- We have to identify RISKS specific to an ASSET
based upon possible THREATS, and then - Implement and modify SECURITY CONTROLS to reduce
risks, so that - Residual risks are at an ACCEPTABLE level.
- Threats may become security INCIDENTS, which lead
to SANCTIONS and modified security controls - Acknowledge SECURITY CONTROLS and EASE OF ACCESS
often work against each other
68Risk Management Objects Relationships
Assets
value
have
Controls
costs
if imperfect, yield
Threats
Vulnerabilities
when realized,instantiate
potentiallyadd
potentiallyreduce
Risks
Incidents
quantify
resolve
criteria
Resolution
Measurement
re-evaluation(retroactively improve)
not acceptable(proactively improve)
may lead to
acceptable
Sanctions
69Security Controls
- Network/Host controls
- Firewalls, Intrusion Detection/Prevention Systems
- Secure Remote Access
- Virtual Private Networks
- VPN over SSL
- Bandwidth monitoring
- Anti-virus, Anti-spyware, Integrity checks
- Etc.
70Security Controls
- Procedural Controls
- Termination Control
- Change Control
- Disaster Recovery
- Quarantine
- Network
- Application
- Audits and Security Metrics
- Single Authentication/Single Sign On
- Etc.
71Summary
- There are measures of good health care systems
in health care institutions - Understanding attributes of computing
infrastructure is necessary to create good
architectures and good systems - Healthcare computing is work in progress, its
challenges are unique