Hawaii Behavioral Health Technology Plan Technology and System Plan Carla Gross Chief Operating Officer Prepared by: Michael Lukson
Hawaii Behavioral Health TECHNOLOGY & SYSTEM PLAN 2013-2015 The purpose of HBH s technology plan if to provide a framework for the delivery and alignment of technological services and solutions to support HBH s mission, HBH mission is to provide a statewide system of integrated services to improve the educational, health, and safety outcomes for Hawaii s youth and families. The HBH Technology Plan applies to any and all technological functions, revision, and expansions within the company. It is intended to outline areas for review and possible implantation. This document is a chronical of the process that HBH has implemented and is updated and published annually to share progress with staff and key stakeholders. Prepared by: Michael Lukson Date: 02/04/2013 Reviewed by: Jessica Wong-Sumida Date: 02/13/2013 Approved by: Carla Gross Date: 02/20/2013
Hawaii Behavioral Health (HBH) must continue to leverage technology in its plans for the future. Technology is a fundamental component in the business operations of Hawaii Behavioral Health. The adaption of new technologies to improve system reliability, employee efficiency and to assist in the management of the company will have a strong impact. HBH is also committed to ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA). As HBH continues its work with the private insurance market, technology systems and practices will continue to be in alignment with this requirement. The basic issues for this year s technology plan is to decide upon the best action to take with regards to existing systems. A decision should be made to either outsource critical systems to ensure effective data protection or to increase training or possibly hire an IT position to support company operations. Hardware Plan a. Server Upgrade/Replacement: HBH has two server data centers located in Honolulu and Hilo. These data center provide an array of services for the company including domain logon/authentication, security assignments for file server data, email server and web server. While both data centers are currently operational it will be important to have planned replacements for data center systems. The following graph outlines the physical layout for both data centers. The Hilo data center servers are nearing end of life expectancy. Both the windows and file servers are over six years old. Budgeting and planning for both systems to be replaced in the near term, should occur before any critical data is put at risk. b. Long Term Hardware Budget and Plan: A long-term (five year) budget plan should be developed to replace critical data center equipment phasing in these new systems in a multi-year plan. Phasing in new
systems over multiple years will spread the capital requirements for the equipment and ensure that systems don t reach their end of life period at same time. This hardware budget/plan should also include other data center appliances such as the firewall/vpn units. Also considered should be the office ethernet cabling and wireless access points. The budget plan could also include scheduled replacement of company workstations and laptops. Possible solutions such as corporate replacement leasing programs could be pursued if cost effective. c. Broadband Internet Connections: A review of site broadband internet connections should occur. Close attention to what vendor is used and what business class speeds are available should be in the review. Cost effective solutions should be pursued for all offices. However, given that work backups occur between the individual geographic locations care that suitable connectivity speeds are available to support business operations. d. Barcode or IT Inventory System Review: A barcode system or inventory review for server and workstations should be looked into. An easy to use barcode software system would help protect IT equipment for the company and assist in inventory documentation. e. Information and Technology System Position: HBH should review the possibility of creating an employee IT position to support existing systems. Currently HBH does not have any professional staff to support data centric operations. Instead it has relied upon external partnerships to provide professional labor. This may cause issues related to timeliness of backups and security procedures if adequately on-site IT staff are not available to perform these functions. An alternative might be to be to identify existing positions to serve as additional IT assets and increase training to support business functions. Anther options would be to outsource existing systems (host with third party company) such as the email or cloud based hosting of file server data. Keep in mind that outsourcing with third party company may cause HIPAA certification problems. SYSTEMS AND SOFTWARE PLAN a. Information and Billings Systems Efficiency Review: HBH currently has two billing and information management systems used. One is a contract vendor solution called NPAWorks. The other is a mandated web input system from the Department of Education used for billing and
inputting of work for that contract. Both systems should be reviewed for efficiency of use. HBH has always been a strong document centric workplace. A document centric workplace is one where common word and spreadsheet documents are often used for management data. In today s information age, the move from document centered solutions to application solutions should be occurring. A review of workplace practices would be good to make sure that maximum utilization of existing information systems is used over user produced documents. b. EMAIL System: HBH should consider the option of outsourcing the email system to a third party partner. Keeping the exchange server running as a stand alone system may put email data at risk. Many companies are outsourcing email to a hosting company. There are a couple options available. One would be hosting with a local third party company. The other would be hosting with an enterprise level host such as Google docs for business. Making this move would have to be evaluated from a cost perspective. The current system and licenses are paid for. Outsourcing to a third party system would involve recurring monthly fees that would be tied into the number of email accounts required. c. CLOUD Storage File System: Another system upgrade for evaluation would be to transfer the file server over to a business class cloud storage solution. This change assist employees with access to the system to centralized business file system. It would also streamline the backup of critical data files since the third party partner of the cloud storage entity would handle the backups for the system. This would also have to be evaluated from a cost perspective. File servers represent an upfront cost to the business. A cloud storage system would result in monthly subscription fees. d. WEB Site Rebuild: A rebuild of the existing web site should be considered. A rebuild of the web site would have multiple intended purposes. The first would be a visual improvement to the existing look and workflow for the site. The current site could be improved upon with a more modern look. A second consideration would be an improvement to the existing employee content. Currently employees can use the site to logon to
email, and download some document. A better system with categorized document downloads would benefit the company. Any new web site designed should be done with a content management system. This will allow HBH to correct and post new information to the site with minimal training. Any new web site should be designed with assistive technology tools in place. This will allow for maximum distribution of essential information to potential interested parties. e. Employee Technology Training Program: An assessment for a possible employee technology training program should be made. The purpose for this training would be a formalized training curriculum based upon position. This training program would be designed to increase system usage familiarity and increase business productivity and efficiency. SECURITY PLAN a. Firewall Review: A review of the firewall appliance will be conducted. Each geographic location should have a firewall with VPN tunnel installed. The firewalls should be updated to the latest firmware which should be documented in an annual security report. b. Anti-Virus Review: A single anti-virus provider should be identified and a corporate subscription setup for all HBH workstations. A documented review of installation and checks per workstation should be conducted to ensure each is protected and updated automatically on a regular basis. c. Domain Logon Review: A review of domain logons should be conducted. It is important that only user level access be granted to the user. The basic user should have no software installation privileges to protect the workstation from viruses, adware and trojans. A review of logons should be conducted annually to also ensure that terminated employees accounts are deleted. This also impacts email accounts. If an employee is on legal the account should be deactivated. CONFIDENTIALITY a. HIPAA Data Review: A review of systems should occur with HIPAA confidentially standards applied. This would be a systemic review of all patient related data to ensure that: i. All patient related data is identified.
BACKUP REVIEW PLAN ii. All web assessable patient related data is protected with encrypted data channels. iii. Employees who have access to this data are identified. iv. All patient related data is protected via file authentication assignments. v. Patient related data centers are in a secure location. The Recovery and Backup Policy should be review for accuracy and updates. A review should also ensure that checklist and backup logs (electronic or paper) are being maintained. Backup equipment should be tested annual as well to ensure proper functioning. DISASTER REVCOVERY PREPARADNESS The HBH Contingency Plan should be reviewed for accuracy and possible updates. In addition a write plan with cost estimate should be produced that identifies specific system components which might be procured in advance to assist with any disaster related events. Because the HBH data centers cannot rely on local off-the-shelf equipment there will be equipment acquisition delays during an actual disaster event. The pre-purchase and storage of potential backup equipment would speed up the reconstitution operations for the data center. This would have to be a cost effective measure and the plan could layout possible equipment and cost factors.