Michigan Electronic Medical Record Initiative

1
Michigan Electronic Medical Record Initiative

• Security Overview

2
Key Elements Technological Infrastructure

• Must be acceptable to data holders controllers
  (providers, plans, patients, HIPAA)
• Distributed database, ephemeral use MEMRI
  manages identity, not data

3
Key Elements Coalition, Consensus, Trust

• i33 Communications
• MEDC
• MHSC
• HCIM
• MPRO
• Altarum
• (Cerner)
• (Covisint)
• Industry Associations MHA, MSMS.MAHP, GDAHC,
  MHIMA, HIMSS

• Support from
• Governor Granholm
• Reps. Levin, Knollenberg
• Sun Microsystems
• Cyber-state.org
• CACH
• Beaumont, DMC, Crittenton hospitals
• MSU Clinical Centers
• Michigan Endocrine Consultants
• Grunberger Diabetes Institute

4
Architecture Overview

• Application pulls information from pilot site
  clinical information systems/EMRs, standardizes
  presentation in a Web portal
• Secure, private connections between the MEMRI
  infrastructure and participating institutions.
• Patient-authorized physicians, clinicians,
  patients, and others can access from a standard
  web browser
• All information is encrypted, secured by access
  rules, rights, and privileges set by the
  participating facilities, and enforced by
  identity and access management

5
Hardware Platform

• Dual-processor servers for administration and web
  services
• Quad-processor servers for application, portal,
  and identity/directory services

6
Software Platform . . .

• Operating System Solaris -- proven, scalable,
  secure. Includes enterprise-class firewall plus
  Kerberos v5 Key Distribution Center (KDC) Secure
  Shell for fully-encrypted replacements for
  telnet, ftp, etc. 128-bit default encryption
  password encryption control
• Portal Server User, policy, identity management.
  Integrated with Directory and Identity Servers to
  enforce security, SSO and access capabilities to
  participating institutions while combining key
  portal services, such as personalization,
  aggregation, security, integration, mobile
  access, and search

7
. . .

• Identity Server Authentication, access
  management, single sign-on (SSO).
  Role/rules-based access control to centrally
  create and manage users, delegate user
  administration, and define access policies for
  users on intranets/extranets. Supports Liberty
  federated ID and SAML web services security
  standards
• Application Server Near real-time access to
  patient data residing in disparate IT systems.
  Management and load balancing for incoming
  requests, to provide secure access to
  applications and data

8
Main Application

• Access via Web browser from any location
• Leverages existing security and access management
  infrastructure at hospital sites, including
  firewalls
• Information encrypted and secured by access
  rules, rights, and privileges set by the
  facility
• Queries all member systems in real-time
• While in reality data from multiple sources will
  be presented to the user, the perception will be
  that a single source was used

9
. . .

• Clinical information currently available to be
  linked

10
Security

• Strong transmission encryption -- Traffic over
  the MEMRI WAN/VPN (HNX or Covisint) encrypted
  using IPSec tunneling and 3DES (168 bit)
  encryption between the VPN points of presence
  (source sites). Access circuits may have local
  loop encryption enabled from within the WAN
  router.
• Multiple authentication options.
  Username/password plus
• Password expiry
• Password propagation for other web links
• 3rd party products (thumbprint, retinal scan,
  etc.)
• Works with back-end (source) systems to determine
  access privileges and restrict data access to
  authorized users
• Audit trail of all accesses to information and of
  updates to security rules, rights, and privileges
  (configurable to the needs/policies of individual
  participating institutions)
• No clinical information retained at MEMRI view
  only

11
Screen shot
12
Architecture Overview
13

• David Ellis
• Interim Executive Director
• david_at_memri.us
• 313-578-3600
• www.memri.us