Infrastructure to heal

There is nothing more valuable on this planet then human life. Building good hospitals is therefore an important contribution to progress in any given country. From a technical point of view, a hospital is nothing more then a normal office building. You have a data center, a LAN to provide IT traffic and electrical systems to provide power to the rooms. Structured cabling, Fiber Optics, Copper and Wireless are used in similar fashion then in any office building. Yet, there are some mayor differences, most of them involve security, which make hospitals special.

Most hospital buildings are older then 15 years and therefore are not ideally equipped with technology. In order to reap the full benefit of new technologies, what actually is needed is a complete revamp of the building. But considering the effort this takes, this of course is seldomly done.

The ideal situation arises, when completely new buildings can be erected and modern technology can be integrated from day one, instead of being retrofitted later. Fortunately most architects are aware that IT and electrical infrastructure need to be state of the art and that hospitals have specific needs. I have equipped several hospitals lately with cables and I am glad that this business is evolving. My pledge is that IT systems and electrical infrastructure shall always be done according to standards in order to offer responsible and well thought out solutions. A well done hospital is something to be proud of. A poorly executed hospital in contrast is something of a shame, because the potential risks are high. Whenever security is at risk, there should be no short cuts.

The first and overall imperative for any hospital`s technical system is of course FIRE SECURITY. There are always a lot of people in any hospital at any given time, patients, visitors, doctors, nurses, all constantly coming and going, smoking, acting careless, some insane. The risk of a fire breaking out is therefore much higher then in a normal building. The situation is further complicated by the fact that many of the patients are disabled and can not move around freely. They are tied to their beds and completely dependent on help. If a fire breaks out, there is little time to evacuate a hospital.

Special fire protected cables are therefore desperately needed. They have to be at least E90, which means that all the cables in the building need to withstand fires at a temperature of around 700 degrees for at least 90 minutes. This quality is called circuit integrity in a cable and it describes the fact that such a cable continues to function even under dire circumstances. Even if everything around such a cable is in flames, it will still continue to transmit alarms, allow data to go through and pass on emergency warnings. Electrical cables are especially critical for those systems, because they are needed for evacuations. If correct cables are used, sprinklers, emergency lights, emergency doors, ventilation, all continue to work for a long time. This is important, because time is what is desperately needed in order to push beds with the patients to the elevators and out of the building and for the fire fighters to come in.

It is also important that none of the cable materials contains PVC. In case of a fire, PVC will emit dark smoke, which makes orientation difficult and is poisonous to the lungs. Smoke from PVC contains sulphur acid that kills and also causes decades of uninsured logn-term damage to expensive electronic equipment such as tomographs. If equipment breaks down after five years, there is no proof to relate that damage to the fire. When thinking of fires, many people have false assumptions. Not the flames are actually what kills, but it is the poisonous smoke. So the most important thing in a fire is to crawl to the emergency light as soon as possible. In Hollywood movies you have heroes standing in the middle of flames, shooting at the bad guys with full visibility. In real life, smoke sinks down like a deadly curtain within seconds. The only thing to do is to get out as quick as possible.

In order to deal with the large amount of electricity needed in operation rooms, a 10 MW cable that feeds right inside to the most critical positions of a building is recommended. Once again this cable has to be fire proof and withstand flames. The best cables for that purpose are those cables with mantles that have been crosslinked and have mica tape and other materials inside to withstand even large fires. Using 10 MW as a current saves energy. The transformers can be kept outside the building. Installation costs and electricity costs can be both reduced. 10 smaller cables are more expensive to install then 1 big one and the higher the energy is during usage and the closer it gets to the point of use, the less electricity is wasted.

Availability of IT systems is most needed in areas right at the entrance of hospitals, where ambulances and helicopters arrive and new patients register. The first minutes are critical and IT systems shall never break down here. High bandwidths and reliability are especially important in this area. In a hospital patients with strokes or heart attacks are common. And those need treatment extremely fast. For stroke patients „time is brain“. If the right treatment does not occurr immediately upon arrival, permanent damage will occur;  disability, mental retardation, death. The main problem is that diagnosis is not easy. In an ideal world, a specialist with a lot of experience whould be positioned right at the entrance of each hospital at all tiomes and it would be his job to evaluate each and every incoming patient carefully upon his or her arrival. This specialist would then decide what needs to be done. A quick injection of blood thinner can save many stroke victims from permanent damage. If it is done immerdiately, chances are high that these people could leave hospital completely healthy. However there are different types of strokes with similar diagnosis, so only a true specialist can distinguish, if this is a good treatment or not. If a blood thinner is giving to the wrong patient, this approach is deadly.

Once again the problem is that in a normal hospital, true specialists are always in demand, so often the landing point in a hospital is vacant and hospitals are not able to react fast. So the callenge for a modern hospital is that it is equipped with a tomograph, a web cam and a stable IT connection to a centralized point, where specialists are present all the time to give advice to the staff at the entrance how to react in any specific case. Sadly enough very few hospitals in the world have such a tele- medicine set-up in place, although this would save a lot of lives.

Less dramatic, but still very irritating is the DATA PROTECTION and IT security situation in most hospitals. In theory, only unauthorized hospital staff shall gain access to patient data. Theoretically users shall only log onto the IT system, after having closed the preceding session. Only then would they be allowed to log on again with their passwords. The only problem is that hospitals have a large variety of complicated applications (KIS, PACS,etc.) and each have seperate passwords. If all the rules are observed, a lot of precious time is wasted just for the log on process. The average staff member needs to log on five times per shift, which takes at least 2 minutes each time. Often passwords are forgotten and help desks get their call. In a normal hospital with 1000 employees, this adds up to 10.000 minutes, 166 hours per day of wasted time.

It is natural that hospital staff in order to save time, often use group PCs. This means there is one central application with a group password in the middle of the room, which is always open and accessible by whoever wants, he or she simply comes and enters or takes data. This is a scandal, but unfortunately it seems to be the only way to work normally in most hospitals around the world. There are good security systems available on the market, but rarely they are used in hospitals, because of price. Once again, it is sad to note that for a bank, investors are always willing to spend large amounts on IT infrastructure, but for hospitals IT is often like the red haired step-child who always gets the beating and little attention.

Good solutions for authorization are RFID chips in the wallet of employees. These are recognized by computers as the user comes closer and then all is needed is only one simple password.(single sign-on) Other systems recognize the palm, or the finger of each user, sometimes their voice. Sometimes the index finger is for one role, the thumb gives you other rights, and so on, which makes the system very flexible. Ideally, whenever someone stops using a computer, it should lock off immediately and jump only back to life with new authorization and ideally at the point where work stopped before. If another authorized user arrives to the same computer, he is automatically guided to the page, where he stopped working before and so on. Ideally sessions can also be taken through various rooms. If, for example, a patient is treated in different OP areas and the network is set up properly, the doctor can access patient documents always on the right spot wherever he goes. This helps the patient as the doctor has time to get acquainted with the case and errors are avoided. Modern copper solution allow for up to four multi-media applications per port, so it would be advisable to have such a clean log on spot in every corner and in each room of the building. As tomographic and other supporting pictures are usually very large, wireless often can not cope with the bandwidth, also it sometimes disturbs the sensitive medical devices nearby and does not always get the coverage necessary everywhere in the hospital. Using reliable cable connections seems to be the best choice here.

Another issue of course is the protection of interfaces. Computer viruses are may be not such a serious problem in hospitals such as biological viruses. But they do cause a lot of downtime and hassle. Most of the computer viruses come via the USB port. Segmenting networks and cutting off this functionality is difficult, so here again special software is needed. Politically this is difficult, because everyone loves an open USB port. But the need to be protected from key loggers, troyans and viruses spreading around freely should be considered. Some of these viruses exhibit plenty of malicious traits such as rootkit capabilities and can hook deep into the operating systems, they do browser hijacking and interfere with the proper working of medical devices.

Also important is monitoring software that allows to upgrade all components of the network with regular patches. Whenever a user does not log in regularly and therefore does not have the necessary patch level, he should be locked out from the network, until he registers anew. Ideally access is granted to ressources only in strict time frames. For example the service employee of a medical device supplier can access the network only at those times, when his visit is scheduled and after that the visit his rights are immediately revoked. Doctors from other clinics are allowed access, but only to their personal data and only to the data of their patients and not of everyone and so on.

Risk management is always a compromise. Benefits need to outweight the effort. If the amount of possible damage is large and the probability of something will happen is high, the disgruntlement of some users and some burocratic hassle is justified. Unfortunately often only a data breach and the bad publicity this finds in the press, brings about any change. One doctor loosing a laptop with critical data was enough to force an entire hospital I know to buy encryption software for everyone, for example.

What is definetly highly recommended is to bring multi media possibilities to each and every room of a hospital. And near the landing areas there should be redundancy, so there is always a free port to log on and access data. Wireless networks are great, but quality copper cables and fiber optics for the long distances between buildings are recommended. There are special materials for the cable mantles that will make it unpleasant for bacteria to settle on them and that should be used for hygienic reasons. Also the ports need to be cleaned daily.

Hospitals have a special responsibility to protect patient data. The most critical data is for example the list of HIV patients. If that list falls into the hands of unscrupulous insurers or employers, the life of these unfortunate people will be ruined forever.

But it is not only the HIV patients that are in danger. Everyone is in danger! Medical data that becomes public knowledge is a threat to the community. After all, with enough bad luck we can all end up as spare parts. Think of the situation of some wealthy person somewhere, desperately searching for an organ with a specific DNA. Theoretically, if that person had access to hospital data, he could scan the data base for the correct DNA and the worst case scenario would be that a crazy hunt would start for you, simply because you are the one whose DNA matched the requested DNA.

So hospital IT systems always need to document with extreme care, what is going on within their system! It is the duty of each hospital to be accountable at all times. They need to justify all the time who has had access to secret patient data. Access rights need to be granted that are very specific and clearly seperated from one another. It is not allowable to give group access. Every user has to be clearly defined and a central point has to control user access at all times. There has to be an internal logic within the system and it is important that there is a quick overview how often users access their data. If a user doesn`t access his data, that access needs to be revoked, unless the inactivity is explained. Data needs to be classified according to confidentiality. A central help desk needs to be implemented that sets up new users and administers all changes. There can not be any short cuts for privileged users, no Gods in White are allowed. Everyone has to obey the rules. There shall be always two seperate systems, one for visitors and patients, and one for permanent staff. These two systems shall always be seperated one from the other. Efficient work flows have to be established, which regulate who has to sign up if something in the standard process is changed (the four eyes principle). There needs to be a system of Data governance in place that intervenes, whenever something sounds strange. Regular audits need to be done. One dedicated person, the medical IT risk manager as he is called in norm DIN EN 80001, needs to be responsible if secret data gets stolen. If unusual activities take place, (for example if there is all on a sudden a lot of access to a data set, which normally is never touched), then alarms need to go off. Data that is seldomly used, needs to be archived off-line. This also reduces cost and workability of the active system.

In hospitals, the law has it that patient data needs to be preserved for 30 years. Danger of litigation is always in the air. If an IT network in a hospital is offline for more then 15 seconds, (time to breath in twice) surely a law suit will come. Therefore the robustness and reliability of the system is a high priority. The first step is to assure that every employee in IT has a clear role. According to that role every employee gets his rights, according to the information he really needs to know for his job. And not more, unless explicitly requested, authorized and documented in the system.

The issues mentioned are just a few aspects from the top of my head which I think are especially important in any hospital. There are so many other issues, it is hard to mention them all. But if questions arise, I am always glad to answer to questions and to direct to other specialists. If a few basics are done well, a hospital has all the potential to become a place of hope, blessed by God, where people are brought back to full recovery and where doctors have the power to save human lifes and where human progress most beautifully manifests itself.