Monday, March 18, 2013

The impact of lacking IT expertise to support PACS/RIS systems.

Digital medical imaging systems such as Picture Archiving and Communication Systems (PACS) are complex and non-trivial to support. It requires PACS system administrators with expertise in both clinical and IT subject domains to maintain image and data integrity. Preferably, these imaging and information professionals are certified through either one or both of the certification agencies (PARCA or ABII).

There are many installations that rely very heavily on support by their imaging vendor. If the vendor has an on-site service engineer, that is fine, however, this practice is getting less common, and many of these systems rely heavily on remote support or an engineer who might take up to several hours or even a day to get on-site. The impact of the decreased support by vendors is that a hospital has become heavily dependent on in-house expertise.

What are the components of IT expertise for an imaging and informatics professional? The components include knowledge of information communications, which includes the network and application level protocols (DICOM, HL7). This will allow a professional to diagnose, and resolve any integration and communication issues. It requires possession of computer hardware and software skills to maintain and support these systems, which could include both Windows® as well as UNIX®. The professional also should be able to use troubleshooting tools to diagnose any potential issues (see related blog).

Most importantly, these professionals are responsible for the specification and adherence of PACS policies and procedures. There are many policies ranging from whom and where to import images from CD’s, to who is merging duplicate patient studies or fixing missing identifiers in an image header. IT-related PACS policies are critical, for example, who is doing back-ups, how often is a backup done, where is the back-up saved, etc. This does not only refer to backing up images or the corresponding database, but also configuration information, hanging protocols, audit trails, monitor calibration records, etc.

Policies of who has access to what external information is critical as well, as these mission-critical systems have to be extremely well protected from downloading viruses or other malware. In many institutions, the use of external memory sticks is forbidden, and computers are configured to disable these external inputs. Virus scanners, firewalls and intrusion detection systems are critical as well as the definition of Virtual Local Area Networks (VLANs) to restrict traffic, and VPN’s for any external connection. If an external connection is used by a vendor, for example, it should always be routed through an internally managed router, which supports audit trails, preferably using standards as defined by IHE (there is a so-called ATNA integration profile defined for audit trails).

In the US, I have heard of a couple of instances where a system was brought down for several hours or even one or two days because of virus infection, but that seems to be less and less common. I am convinced that the decrease is related to strict enforcements of policies, due to a heavier influence of IT in imaging departments. More PACS administrators are now reporting to IT, if only with a “dotted line” on the organization chart, and PACS administrators have also increased their skill sets, witnessed by the thousands of certified professionals.

By contrast, if I ask in my PACS training classes that I teach in emerging and developing countries, the number one PACS support issue is the constant fight against viruses and malware. There is no question in my mind that this is due to a lack of skills, too few certified professionals, and the absence or lack of enforcement of sound IT policies.

It is obvious that sub-optimal operation impacts the availability of timely and accurate information and ultimately patient care. To resolve this requires building awareness among the decision-makers for the implementation of these imaging and information systems, and stepping up their support for their professionals who seek to obtain these skills. Top-down management support is needed to enforce sound IT policies such as limiting the downloading of information from the Internet, disallowing the use of external media, and other critical policies affecting safety and security. Maybe it takes an incident, such as the case of a hospital in the Northwest United States that lost the images of hundreds of patients who had to be called back to the hospital to redo their exams.

In the meantime, the best thing I can do is keep on writing about this subject, promote the use of policies and procedures, and keep on teaching. Hopefully, I will be heard and people will start taking notice.