But new systems mean new expectations; now physicians won’t put up with any downtime.

New Headaches

No one remembers what life at Yale-New Haven Hospital was like before the CPOE system. So when it is taken down—which happens every month for scheduled maintenance—"you can’t say, Do what you did before," says Howard Goldberg, the hospital’s director of clinical systems, who reports to CIO Andersen. "When you’ve been up for 11 years, there is no before. Doctors don’t know how to write an order by hand." That’s where a portable gray file box stashed in every unit comes in handy. Inside the file box are instructions and prescription and other order forms.

Yes, paper.

But the chief of staff is putting pressure on Andersen to get rid of the paper. So, as part of an upgrade while converting to a new version of CPOE software, Andersen is splitting the data between two separate data centers three-quarters of a mile apart. Andersen knows what some other health-care CIOs, like John Halamka of CareGroup in Boston, have learned the hard way: The more mission-critical hospital IT systems become, the greater the risks of downtime (read "All Systems Down" at www.cio.com/printlinks).

Making sure the network is crash-proof is only part of the CIO’s problem. Not only are health-care organizations making patient files electronic, they’re putting them online for remote access by doctors and even, in a few pilot programs, by patients.

This raises new privacy and security concerns. What happens if someone breaks into a database of health information and uses it to embarrass patients, commit identity theft or even make a profit on the black market—say, by selling medical records to unscrupulous mortgage companies looking for reasons not to grant loans?

These are valid enough concerns that the federal government, with the passage of the Health Insurance Portability and Accountability Act (HIPAA), has set strict rules around how patient data must be secured and in what cases it may be shared outside the organization. (For more, read "Immune Systems" at www.cio.com/printlinks.)

Health-care entities have to do a better job of explaining their safety precautions. At Yale-New Haven, for instance, a few patients bristled when the time came to upgrade the AIDS clinic with an EMR system because they were worried their personal information would fall into the wrong hands. Yale-New Haven officials took pains to explain that only certain people would have access to those files. What’s more, hospital officials can see who is looking at which files and when. "Once our analyst was able to show the patients that we could now document everybody who looked at their record, they actually felt more comfortable," Andersen says.