Establish ‘critical hierarchy’ before 2000 to avoid Y2K bug’s bite
Establish critical hierarchy’ before 2000 to avoid Y2K bug’s bite
Once your house is in order, call suppliers, develop contingencies
Establishing a "critical hierarchy" — placing anything that can affect patients at the top — is the first step toward an effective strategy for year 2000 computer compliance, says Michael Lauffenburger, Y2K manager in information services at ScrippsHealth in San Diego. Next in line after patient care issues is anything that can affect key business operations, such as billing or other financial functions, he adds. "Then, once you have your own house in order, start contacting suppliers and begin developing contingency plans, because even if you’re compliant, if your key suppliers and vendors are not, you could have problems."
At ScrippsHealth, the move to ensure Y2K compliance is well under way, he says, with tentative planning and strategy talks crystallizing in May 1998 into a formal project with a multimillion-dollar budget. Scripps’ program, Lauffenburger says, is divided into six components:
• biomedical devices;
• computer hardware;
• computer software;
• external data or system interfaces (including electronic billing and any data interfaces with non-Scripps entities);
• facility systems (elevators, fire alarms, heating, air conditioning, and other facility systems that are date-sensitive);
• networks and telephones.
Remediation efforts for each component are moving along, he says, with assistance and consulting from Science Applications International Corp. (SAIC), a San Diego-based high-technology company that has assigned 27 full- time employees to the Scripps job.
The first step was to do an enterprise assessment of Scripps’ six hospitals and numerous secondary facilities "to get our arms around what areas we needed to look at," Lauffenburger explains. During this three-month process, Scripps identified and categorized the areas of risk and estimated the work that would be involved.
A standard process for remediation was developed for all of the components, he notes, which involved the following:
1. Inventory.
"We visited every facility and identified every device, every PC, every piece of business-critical software," he says. The inventory process was completed last December. It revealed, among other things, some 3,300 date-sensitive biomedical devices, such as defibrillators, and about 2,800 personal computers.
2. Detailed assessment.
Using basic input-output system testing software that is commercially available, Scripps checked the PCs for Y2K compliance, and 1,700 failed the test. Most of those will be replaced, he says, although some of the newer ones that failed will be upgraded. "The majority of the Pentiums are OK, but the sub-Pentiums will usually fail," Lauffenburger adds. Assessment of the other items was to be finished about mid-March.
3. Planning, remediation, and validation.
"Now that we know what our inventory is and what assets are not Y2K-compliant, the question is, What is the most cost-effective course of remediation?’" he says. "We’ll either repair, replace, or retire the noncompliant devices."
4. Implementation.
Remediation and testing will be completed in September, Lauffenburger notes, and in October, Scripps will implement whatever has been fixed and tested. One caveat to the above timetable involves critical components, those that could directly affect patient care or financial or regulatory functions, he points out. "Those items are on a fast track that is to be completed by the end of July."
As part of its Y2K planning, he says, Scripps Health has "had a lot of dialogue" with other local and national health care organizations. "Because there is, of course, no precedent to Y2K, our intent is, at least in San Diego, to establish best practices — what’s appropriate, what’s overboard, what’s due diligence."
For example, when it comes to storing diesel fuel for backup generators in case of utility company problems, he says, a year’s supply was deemed excessive, but a week’s supply may not be enough. "We’re trying to find the appropriate median."
As a result of these dialogues with other organizations, Lauffenburger says, Scripps has found it is ahead of many other health care entities in Y2K planning.
"The absolute key to that is executive management buy-in. Fortunately, the Scripps’ executive team is totally supportive. [Y2K prepara - tion] is the No. 1 priority."
Software tested in laboratory
Scripps is leaving nothing to chance when it comes to ensuring its software and business operations are Y2K compliant, he notes. Using up to a dozen different tests, the organization is simulating what will happen when the calendar rolls over to 2000, Lauffenburger says.
"We have mirrored our major computer systems in a stand-alone laboratory. We have separate hardware and are making copies our production software systems to ensure that our testing environment is totally representative of our production environment. All of our testing efforts will be fully documented as part of our due-diligence process."
And when it comes to critical components, particularly those affecting patient care, Scripps is taking "an extremely conservative approach," he says. "We’re contacting vendors and, even if they say [their products] are compliant, we’re going ahead and testing them."
That approach certainly is not universal among health care organizations, some of which take the vendor’s word that an item is compliant, he says. "What is justifying [the conservative approach] is that a small but significant number of medical devices that we were told were OK actually failed our Y2K tests. The consequences of a device Y2K-malfunction could obviously be severe."
SAIC’s health care clients vary greatly in the progress they’ve made toward Y2K remediation, says Greg Baker, MBA, assistant vice president and the company’s year 2000 national practice director for health care. Those clients, he notes, include such organizations as Kaiser Permanente in Oakland, CA, the University of Maryland Medical Systems in Baltimore, and Mercy Health Services in Farmington Hills, MI.
"Some are more ahead than others, but most will not fix everything, nor could they expect to fix everything," Baker says. "The discovery effort has been very difficult, particularly in the areas of medical devices and desktop applications. There’s still a fairly big level of unknown, a chunk of inventory as yet undiscovered, and if they don’t know about it, they sure can’t fix it."
A spreadsheet on an older version of Excel, for example, or a homegrown database, are problems the hospital information systems department will have to continue addressing, he notes. "Some support critical business processes even though they’re homegrown."
In addition to these internal concerns, there are the external suppliers, partners, and payers over which an organization has little control, Baker says. "There’s not a lot that can be done to avoid having a supplier stop shipping, although you can do some things to be ready to deal with it."
Beef up those cash reserves
Most hospitals also are concerned about a possible breakdown in the electronic payment process, he says, which has caused some organiza - tions to take a hard look at cash flow and at beefing up cash reserves.
Because it is impossible to fix everything, Baker emphasizes, health care organizations should shift their focus to business continuity while they continue — within constraints — down the path of remediation. "For a long time, the traditional remediation program focused on fixing components, applications, facility systems, medical devices, and network systems," he says. "The thing to realize now is that the continuity of business operations will be threatened for most, if not all, health care organizations." Figure out how much and where and focus on what’s most important and most exposed.
"In a way, [Y2K] always was about business continuity," he adds. "But now we’ve got the raw materials through inventory and remediation to build the bridge. Now companies can reprioritize their efforts — where to do contingency planning and where not to. Without focus, you could write contingency plans forever."
He likens the concept to a financial advisor’s asking, "How much risk are you willing to live with, and based on that, where do you want to make your investment?" Hospitals won’t necessarily spend more than they planned, although they may, Baker says, but they will redistribute funds to the most important areas.
Spending hundreds of millions
The laboratory function, for example, would be a critical function for most hospitals, he points out, because it supports a number of other areas, including inpatient care, surgery, and the emergency department. One of SAIC’s roles, Baker says, is to help companies identify and prioritize the various business elements and determine how much each is at risk.
"Instead of saying an application is in good shape, ask whether a business element — meaning a department or a major business process — is in shape," he advises. This prioritization is necessary, he says, because health care organizations are faced with constraints not only in time, but also in resources.
SAIC’s largest clients are spending "hundreds of millions" on Y2K remediation efforts, and the smaller ones are spending under $10 million, he says. "I don’t know of any that are spending less than a million."
Even so, there is still a fairly prevalent attitude among health care organizations that Y2K is an information technology problem, Baker notes. "It now needs to be treated as a business problem, which it always has been."
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.