WebCIS: Large Scale Deployment of a

Web-based Clinical Information System

George Hripcsak, M.D., James J. Cimino, M.D., Soumitra Sengupta, Ph.D.

Department ofMedical Informatics, Columbia University, New York

WebCIS is a Web-based clinical informationsystem. It sits atop the existing Columbia Universityclinical information system architecture, whichincludes a clinical repository, the Medical EntitiesDictionary, an HL7 interface engine, and an ArdenSyntax based clinical event monitor. WebCIS securityfeatures include authentication with secure tokens,authorization maintained in an LDAP server, SSLencryption, permanent audit logs, and applicationtime outs. WebCIS is currently used by 810physicians at the Columbia-Presbyterian center ofNew York Presbyterian Healthcare to review andenter data into the electronic medical record.Current deployment challenges include maintainingadequate database performance despite complexqueries, replacing large numbers of computers thatcannot run modern Web browsers, and training usersthat have never logged onto the Web. Although theraised expectations and higher goals have increaseddeployment costs, the end result is a far morefunctional, far more available system.

Introduction

The emergence of the World Wide Webpromises to make clinical information available tousers wherever and whenever they need it.Informatics researchers and vendors have alreadybegun to extend or replace their systems with Web-based user interfaces.' 3 Although the Web hasclearly sped application development, its effect onlarge-scale deployment still remains to be seen.

WebCIS is a Web-based clinical informationsystem. It will replace a legacy system, known as"DHIS," at the Columbia-Presbyterian center ofNewYork Presbyterian Healthcare, and it will be extendedto other hospitals in the network. Deployment beganin August 1998. As of June 1999, there were 810physicians using WebCIS; the target is 4300 users bythe end of the year. In this paper, we report on ourexperience building and deploying WebCIS in alarge, complex environment.

Application

The main screen of WebCIS is shown in Figure1. WebCIS is a sophisticated clinical repositorybrowser that displays information from ancillary,

registration, and ambulatory systems. Users retrieveinformation sorted by source department and thentime; sorted purely by time; or aggregated in one ofseveral views, including spreadsheets, cross patientsummaries, and graphs. Users can define and requestnew spreadsheets over the electronic mail-basedfeedback function. Since its inception, several dataentry functions have been added. Users may enterclinical notes that are signed electronically andarchived permanently, they may create lists ofpatients, and they may enter work-list summaries forgenerating signout sheets (similar to Partners4).

Architecture

A clinical information system architecture allowsan institution to manage change.56 The legacyclinical repository browser, DHIS, sits atop theColumbia clinical information architecture', shown inFigure 2. There is a centralized clinical repository,that collects data from all clinically relevantapplications in the institution, including departmentalsystems and interactive clinical user interfaces. AHealth Level Seven (HL7) interface engine mediatesall data transfer. It uses information from theinstitutional vocabulary, known as the MedicalEntities Dictionary (MED),9 which defines all codeddata stored in the database, translates betweenapplication coding systems, and provides aclassification hierarchy and semantic relationshipsthat simplify coding and vocabulary maintenance. Asdata are stored in the repository, messages are sent toan Arden Syntax-based event monitors that providesautomated decision support.

DHIS is a character-based system that runs on3270 emulation software. It was built using an IBMmainframe tool set for health applications (PCS-ADS, IBM, Hawthorne, New York). This software,which was written in the 1980's, will not run on year2000 compliant versions of the mainframe operatingsystem and therefore must be replaced.

WebCIS is DHIS's replacement. It sits atop thesame clinical information system architecture, whichhas required only minimal changes to accommodatethe new repository browser. WebCIS's design, whichis shown in Figure 2, is similar to that of two otherWeb-based applications, PolyMed11 and PatCIS.12WebCIS is implemented as a set of Common

1091-8280/99/$5.00 © 1999 AMIA, Inc. 804

Figure 1. WebCIS main screen.

Gateway Interface (CGI) programs written in C andrunning on a UNIX Web server. The Web servercommunicates with the mainframe-based repositoryusing the TCPIP socket protocol. The CGI programsgenerate HTML and JavaScript, which then executeon the client Web browser.

WebCIS exploits the existing architecture inseveral ways. Spreadsheets are not hard coded, butare defined in the MED. The class "clinical view"contains all spreadsheets, which are in turn composedof classes of results such as "intravascular sodiumtest." Several different applications share the sameset of spreadsheets, improving consistency across theinstitution's suite of clinical applications andreducing maintenance. New user requests forspreadsheets are sent to a knowledge engineer, whocan quickly incorporate the changes into the MED.

Multi-institution support

The Web promises to facilitate inter-institutioncommunication.' 2'13 The recent merger ofPresbyterian Hospital, New York Hospital, and 15other hospitals to form New York PresbyterianHealthcare has created the need to coordinateinformation for five million patients. There are manydifferent clinical applications installed among thehospitals, and it is unlikely that a single suite ofapplications will suffice. Therefore, the goal is tomerge clinical information from the institutions into asingle repository and to use WebCIS as a commonviewer for this information.

The Columbia clinical information architecture isfacilitating this task. New data definitions are storedin the MED, data is uploaded via the HL7 interfaceengine into the repository, and WebCIS displays theinformation without requiring further coding. Forexample, new sodium tests are placed under the class

805

Figure 2. Architecture

"intravascular sodium" so that they can be displayedalong with the sodiums from other institutions. (As ofthis writing, data from the New York-Cornell centerhas been stored on a pilot basis.)

Performance requirements

One of the primary challenges facing any clinicalinformation system is performance. DHIS has sub-second response time, and users expect similarperformance from its replacement. We thereforeassessed the recent load on DHIS. There have beenabout 4300 distinct clinical users per month. Theoverall breakdown of their roles is shown in Table 1.

Table 1. DHIS distinct users per month.

User type NumberPhysicians 1500Nurses 1000Students 400Administrative, other 1400Total 4300

The performance of the clinical informationsystem is bound by the database queries. Table 2shows the number of database transactions persecond during peak periods.

Table 2. DHIS database transactions (peak hours).

Transaction type #per secondLaboratory query 1.0Radiology report query 0.5Other data query and upload 0.5Total 2.0

These numbers are useful in two ways. Theyallow one to estimate the expected database load forWebCIS, and they provide an estimate to the fre-quency of Web server requests that can be expectedat peak times. In DHIS, there are approximately twomainframe server requests (screen flips) for eachdatabase query; the extra queries are due tonavigation screens. WebCIS servers should receiveabout the same number, or four requests per second.

The actual load on the system may be higher orlower, depending on how the system is used. Greaterhome usage may result in more total queries per day,but they are unlikely to occur during peak periods.Greater availability from outlying offices, however,may increase the peak load. Whereas DHIS shows asingle result at a time, WebCIS shows moreaggregate views. Therefore, each database queryfrom WebCIS, on average, represents a greater loadon the database server. Anned with more data perrequest (for example, a spreadsheet of many valuesinstead of a single test), users may make fewerrequests by spending more time on each aggregateview. Or users may move through the requests just asquickly, increasing the load on the database. So far, asignificant change in load has not been detected.

Therefore, it appears that existing Web serverswill easily meet the demands of WebCIS (even usingthe somewhat inefficient CGI protocol). Achievingsufficient throughput at the database may be achallenge, however.

Network performance is also an issue. Manyusers are accessing the system from homes or officesvia older modems as slow as 14.4 kilobaud. Serverrequests and replies have therefore been kept as shortas possible, and unnecessary images have beeneliminated.

Security

The expansion of the World Wide Web hascreated enormous sensitivity over patient privacy andsecurity for a number of reasons. The popularity of

806

the Web and ease of access to many informationresources has made the issue concrete to people whootherwise would not have thought about orunderstood the issue. More clinical applications arebeing made available over the Internet. Many morepeople, including potential intruders, are connected tothe Internet today than a few years ago. Web searchengines make it easier to find many Web-basedclinical information systems, thus making themtargets for attack. Although better software to protectsecurity has appeared over time, more software tocompromise security (for example, passwordcracking programs) are also available. The greatercomplexity of computer systems and the ease ofplacing information on the Web (even by mistake)have made institutions more vulnerable. For example,a university health system accidentally placed a 10megabyte log of the activity of its patient schedulingsystem on the World Wide Web, exposing patientnames, social security numbers, employment,diagnoses, and treatment records to the public14; itwas discovered via the university's Web site searchengine. As more people gain even legitimate accessto electronic medical records, sensitivity to privacy isincreasing. For example, at another institution,patient records and audit logs were made availableelectronically to patients who were employees of theinstitution in a pilot program. One employee, ondiscovering that a person had inappropriatelyaccessed his record, sued the institution and settledout of court. The pilot was discontinued.

There has therefore been enormous sensitivitylocally over patient privacy and security, and a greatdeal of effort has gone into security. WebCISemploys a number of security features.3"2Authentication is based on a password and a token.On entering the application from the Internet, a useris asked to enter his user ID, a secure password, andthe number from a smart card (SecurID, SecurityDynamics Technologies, Inc., Bedford, MA). Accessfrom within the campus requires only the user ID andpassword. When users create passwords, thepasswords are immediately run through passwordcracking programs to ensure that non-trivialpasswords are used. User accounts are inactivatedafter six months of nonuse.

Authorization information is stored in aLightweight Directory Access Protocol (LDAP)server. Authorization is mainly role-based with theability to make individual exceptions. Access toindividual types of clinical data can be set with a finegranularity. Encryption is accomplished withNetscape's implementation of the Secure SocketsLayer (SSL) protocol, and it is applied both over theInternet and within the campus. All access is auditedin a permanent audit trail. Recorded information

includes user, IP address, patient, data type, and timeof access. Audit trails are monitored regularly forinappropriate access, and serve as documentation forpatient complaints of privacy breaches. To reducetailgating, in which a person uses someone else'saccount after he fails to log off, sessions time outafter five minutes on all locations except bedsideterminals. Bedside terminals, which are placed insecure areas inside of intensive care units, haveunlimited timeouts but they require re-entering the IDand password every time a patient is changed. Thehospital has hired a full time security officer tooversee all information system security operations.

Deployment and training

Use of the World Wide Web promises to reducedeployment and training costs in several ways. Homecomputers come preinstalled with Web browsersoftware, and many potential users have gottenfamiliar with using Web-based applications and havealready learned skills necessary to use the Web: apointing device, links, pull down menus, etc. Webstandards allow the same application to be viewedover a multitude of hardware platforms, software, andcommunications media.

In practice, deployment and training havebecome more difficult, however. This is due in part tothe attempt to deploy applications much morebroadly than ever before, reaching into homes andoffices on an unprecedented scale. The WebCISdeployment involves computers and printers onnursing stations, clinics, administrative offices,ancillary department offices, physician's privateoffices, and homes. Replacement of outdatedcomputers represents a large part of the deploymentcost: the initial WebCIS roll out requires 300 newcomputers at nursing stations and clinics alone toreplace 286-based PCs. The deployment staff is notdirectly responsible physician's private offices andhomes, but successful deployment requires that theseareas be functioning successfully. Installation ofunrelated software (including games) by thecomputer owner often leads to unexpected problems.

Furthermore, Web standards are still not mature.Due to incompatibilities among Web browserJavaScript implementations, WebCIS requiresNetscape version 4.04 or higher running on Windows95, Windows 98, Windows NT, Macintosh, or UNIX,but not Windows 3.1. Attempts to use WebCIS withan unsupported browser results in a warningmessage, and then usually a series of JavaScripterrors that may or may not stop WebCIS fromrunning. Users who favor browsers such as InternetExplorer often refuse to switch to Netscape, even

807

though they can install both browsers on theirmachine.

Many of the target users have simply notexplored the Web yet. Due to limitations on theuser's time and limitations on the budget, most of thetraining has been accomplished as demonstrations atdepartmental meetings and in small informalsessions. We have also minimized training by makingthe core of WebCIS look analogous to DHIS-aseries of departmental data sources that one caninspect to view results and documents one at a time.Parallel to this are a series of more sophisticatedclinical information views that are supported only inWebCIS: spreadsheets, graphs, temporal filters, andcross-patient summaries. Naive users start with basicfeatures and move to advanced features as theybecome more comfortable with the Web paradigmand alternate views of information.

Discussion

The World Wide Web has certainly madeclinical information more available to more people.Even for the initial 810 active users, there is greaterinterest in using WebCIS from home and remoteoffices. Compared to the effort to deploy an X-Windows based application, WebCIS has been fareasier.

Nevertheless, use of the Web has increasedexpectations, goals, and deployment costs. AlthoughWeb-based application development is very fast,other aspects of the application life cycle have notbeen shortened: developing a business plan, gettingbuy-in, raising capital, buying and installinghardware, training users, etc. An application thattakes weeks to develop can take years to deploy in alarge, complex, multi-institution environment. By thetime an application is fully deployed, its technologymay be obsolete. For example, WebCIS is based onCGI programs and JavaScript; if the design wereredone today it would look very different. If newerWeb browsers do not continue to support theprevious generation technology well-for example, ifJavaScript support becomes unreliable-then theapplication will have to be rebuilt before it is fullydeployed.

The best one can do is stick to a good clinicalapplication architecture, with well-isolated modules,well-defined layers, and industry standard protocols.As breakthroughs occur at each level or within eachmodule, they can be incorporated without replacingthe whole system.

References

1. McDonald CJ, Overhage JM, Dexter PR, et. al.Canopy computing: using the Web in clinicalpractice. JAMA 1998;280:1325-9

2. Kohane IS, Greenspun P. Fackler J, Cimino C,Szolovits P. Building national electronic medicalrecord systems via the World Wide Web. J AmMed Inform Assoc 1996;3:191-207.

3. Cimino JJ, Socratous SA, Clayton PD. Internet asclinical information system: applicationdevelopment using the World Wide Web. J AmMed Inform Assoc 1995;2:273-84.

4. Hiltz FL, Teich JM. Coverage List: a provider-patient database supporting advanced hospitalinformation services. Proc Annu Symp ComputAppl Med Care 1994;:809-13.

5. Stead WW, Borden R, McNulty P, Sittig DF.Building an information management infrastructurein the 90s: the Vanderbilt experiment. Proc AnnuSymp Comput Appl Med Care 1993;534-8.

6. Hripcsak G. IAIMS Architecture. Journal of theAmerican Medical Informatics Association1997;4:S20-30.

7. Johnson SB, Forman B. Cimino JJ, et. al.. A Tech-nological Perspective on the Computer-BasedPatient Record. In: Steen EB (ed). Proceedings ofthe First Annual Nicolas E. Davies CPRRecognition Symposium, 1995; 35-51.

8. Johnson SB, Hripcsak G, Chen J, Clayton P.Accessing the Columbia Clinical Repository. In:Ozbolt JG, editor. Proceedings of the EighteenthAnnual Symposium on Computer Applications inMedical Care, 1994; 281-5.

9. Cimino JJ, Clayton PD, Hripcsak G, Johnson SB.Knowledge-based approaches to the maintenance ofa large controlled medical terminology. J Am MedInform Assoc 1994;1:35-50.

10. Hripcsak G, Clayton PD, Jenders RA, Cimino JJ,Johnson SB. Design of a clinical event monitor.Comput Biomed Res 1996;29:194-221.

11. Cimino JJ, Socratous, SA. Just tell me what youwant!: the promise and perils of rapid prototypingon the World Wide Web. Proc AMIA Annu FallSymp 1996;719-23.

12. Cimino JJ, Sengupta S, Clayton PD, Patel VL,Kushniruk A, Huang X. Architecture for a Web-based clinical information system that keeps designopen and the access closed. Proc AMIA Symp1998;121-5.

13. Teich JM. Clinical information systems forintegrated healthcare networks. Proc Amia Symp1998; 19-28.

14. Glave J. Medical records exposed. In: WiredNews, 1999 Feb 8 2:20 p.m. PST, http://www.wired.comlnews/news/politics/story/17799.html.

808