Steve Everest, president of Creative Healthcare Systems, Springfield, Mo., is wiring together an entire community in Kansas (hospitals, library, city agencies, schools and more). He points out one of the possible benefits when an extranet is available. "When the extranet is fully online, children’s immunization records will be available to public health officials. So now Mom doesn’t have to be constantly scrambling through files to find the paperwork." Instead, the information can be updated as needed and passed back and forth between the school and the right city agency.
Linking a town in Kansas is one example of how extranets can help connect people. When asked to define an extranet, however, most experts use a business-to-business scenario. David W. Donahue, president of Bentana Technologies, East Hartford, Conn., says simply: "It’s extending internal access to trusted, outside third partners."
One such "trusted outsider," explains Mark Kriegsman, president of ClearWay Technologies, Boston, might be an outside lab, with an extranet connection that allows the lab to post information directly to an HMO. Indeed, Bruce Elder, healthcare industry manager at Sun Microsystems, Palo Alto, Calif., says that initially extranets will be used in healthcare to transfer information among payors, providers and suppliers.
In addition, an extranet can include consumer interaction. For example, when Fed Ex allows customers into its system to track packages, the company is providing the same kind of access that the customer has via the telephone. The difference is the amount of time the customer saves and the amount of money the company saves. "The cost of a Web transaction is about 50 cents to one dollar, as opposed to paying a salary to someone who has to look up the information and pass it along," Kriegsman points out.
Good, bad and sensible
Costs savings is a major benefit technology experts point to when discussing extranets. "The driving force for extranets isn’t from IS, but from HR and CFOs," says Mark Huber, president of PayFlex Systems USA, Inc., Omaha, Neb. "They say, ’It’s costing us too much money to administer enrollment; we need to spend money on benefits.’" Huber notes that administration, especially in an HMO, is a significant part of an organization’s costs--and at a time when "the cost of healthcare is on the rise again, you’ll see pressure to kill costs wherever possible."
That’s why, Donahue notes, more companies are focused on "integrated outsourcing." Relying on third parties external to the organization to perform certain data functions cuts staff and overall costs.
Another benefit to extranets is avoiding what Donahue calls "Internet Interruptus." In other words, the workflow between one company and another moves smoothly via electronic transfer only so far, and then it must become manual. "The value of the extranet," Donahue says, "is in the true automation of the workflow process."
Yet another advantage found by using an extranet is business flexibility. Kriegsman notes that he’s been able to hire a hot-shot programmer in Arkansas for a lot less than if he had to use a programmer in New York. Extranets allow telecommuting, so a working parent at home with a sick child, or an employee on the road with a laptop, can still "plug in" to the company and do their work.
Finally, an extranet allows improved customer service, with 24-hour, seven-day access.
But even though some experts tout extranets as the next step to the paperless office (which computer experts have been promising for more than a decade), when pressed, they admit companies probably will never truly get rid of paper--and indeed might not want to. After all, Donahue says, there are times you want a paper trail. "[A paperless office] could only occur with a digital certificate on every end of the transaction [so as to authenticate the recipient]"--and that gets expensive. Besides, he says, there simply are times when a "wet signature"--pen on paper--is required.
Still, extranets can reduce the amount of paperwork. "If a company offers open enrollment on its three health plans, administrators can either hand out a lot of paper (which later has to be processed) or they can allow employees to select their choices online and the employer’s records update automatically," Huber says. With an extranet, employees can sign up for benefits through their home computers.
One of the greatest challenges in providing extranet service is integrating legacy systems. Elder notes that providing extranet access is a lot like providing phone service: "I can’t dictate what kind of equipment [the client] has. So I have to find a way to create a network service that works with whatever device (Mac, Compaq, UNIX, etc.) the client has."
Don’t forget the DMZ
That means MIS’ main concern isn’t necessarily whether the network exchange is EDI or the new LDAP technology--a gatekeeper between intranets and an open technology protocol similar to HTML. Rather, the key is how everything is hooked together. "The minute you ask one network server to do more than one thing, it’s easy to screw up," Elder says. That’s why, he says, it’s critical to have a DMZ network (demilitarized zone): segmented servers with one open to the public and another for employees logging on from the outside.
Everest agrees, noting that when the Kansas community’s extranet goes online, it will not only route through a separate server, there’ll be an Ethernet switch to break the link between the core Sun server and the extranet server.
Finding the answers
It might seem surprising, but whereas advice on intranet development centers almost ferociously around security, this aspect is downplayed in discussing extranet development. Part of the reason for this difference is that one cannot build an extranet until an intranet is in place. Officials, therefore, must start with the assumption that basic security steps such as encryption technology and firewalls already are in place. (See "Be Secure," page 00.)
"When I worry about privacy and security as I start to depend on online business, I find a much bigger risk factor--by a ratio of 8-to-2--is the employee inside the company who’s disgruntled or incompetent," Elder says. "We estimate that 80 percent of computer crimes come from one’s own employees."
Nonetheless, Basil Hashem, group program manager for platforms at Netscape, Mountain View, Calif., points out, "The infrastructure may be in place in terms of having firewalls, but if you don’t set up a good access control policy, with procedures to help you validate who’s a real business partner and who’s not, you’re opening yourself up to immense business risks."
Finding the right experts to help with extranet development can be risky in its own way. The most obvious search method is to seriously check references. Then Everest suggests asking extranet consultants these questions:
- What alliances do you have throughout the managed care industry?
- Is your technology sound?
- How long have you been in business? (Have they been around 10 or more years, or are they just part of the short-term "millennium consultants" who have sprung up?)
Netscape offers a seven-point checklist for determining if a managed care organization is ready for an extranet and if officials are choosing the right consultant. (See "Are You Ready For an Extranet?" below.) A good consultant should be able to address all the points on this list.
However, Elder notes that ultimately managed care officials must wrestle with some serious need-to-know issues before they hire their consultants. Any qualified consultant can enforce policies with the right technology, he says, but first those policies have to be in place. "I can put a patient record online and encrypt it securely so that no one can access or manipulate it except Dr. A," Elder says. "But someone has to decide if Dr. A has the right to that access."
Everest offers the following answer to the official at the small managed care organization who says an extranet is not worth the time, money or trouble: "If you say, ’We’re too small, it’s not worth bothering,’ someone else will say, ’Yes it is.’ Executives from a larger entity, like the state or a large hospital, will come in and say they want you to provide this data access. The group that already has taken the initiative will have a better chance of retaining its independence."
Be Secure
OBVIOUSLY BUDGETS, THE AMOUNT OF access granted and other factors will vary among different organizations’ security measures. Following are some options to consider:
The basics."The easiest mistake to make is to open your server directly to the Internet," says Steve Everest, president of Creative Healthcare Systems, Springfield, Mo. Remember that it is a two-way street. If you can dial out, someone else can dial in. Firewalls on both ends are critical.
Access cards.At Everest’s community project, presumably everyone in town eventually will establish their identity (and thus their network access) through a card with a magnetic strip or even a holographic window. However, Matthew Sheridan, vice president of Medic Alert, Turlock, Calif., points out that such cards can be easily lost or stolen. That is a key reason why he feels they are not likely to replace Medic Alert’s famous jewelry, although such cards could hold much more data.
Virtual Private Networks (VPNs).This allows a company to lease part of the Internet for its traffic only. "It’s like leasing one lane of a 12-lane highway," Donahue says.
Biometric authentication.As Bruce Elder, healthcare industry manager at Sun Microsystems, Palo Alto, Calif., points outs, "Someone might steal my password or access card, but they can’t steal my retina or thumbprint." Elder notes that at the last Healthcare Information and Management Systems Society (HIMSS) conference, Sun demonstrated a $300 fingerprint scanner about the size of a mouse.
Are You Ready For An Extranet?
NETSCAPE, MOUNTAIN VIEW, CALIF., offers the following suggestions for organizations deciding whether or not to implement an extranet:
1. Scalability.With an intranet you know the number of people who need access; with an extranet, you may be constantly scaling upward to accommodate the number of people coming online.
2. Software customer service.The ultimate goal is 24 hours, 7 days a week.
3. Enterprise connectivity.The extranet must be able to attach to current system.
4. Security. It is important to evaluate a company’s approach and commitment to security: business practices, employee screenings and physical security systems (guards and alarms). This will help determine a company’s approach to electronic security.
5. E-commerce capability.The extranet must be transactional.
6. Deployment and manageability.The system must deploy easily to the Internet and extend it.
7. Universal client access.Users must be able to access the extranet from any type of system.
Wendy J. Meyeroff is a healthcare and technology writer and Richard E. Meyeroff is president of Meyeroff Computer Consultants. Both are based in Brooklyn, N.Y.
