KRM’s contract duties performed for the West Virginia Department of Health and Human Resources included project management and technical analysis. The project scope included the first phase of the development of an Enterprise Information Architecture for DHHR.

Specific analysis activities included:

• Status of DHHR’s Existing Information Architecture.
• Internet Connectivity and Issues.
• DHHR MIS Staffing and Training Issues.
• Data Ownership, Sharing and Management.
• Contract Management Issues and Strategies.
• Status of Business Processes.
• Migration Toward Advances in Technology.
• Age of Technology and the Year 2000.
• Hardware / Software Procurement.
• Consolidation of Data Processing Activities.
• Data Warehousing.
• Welfare Reform.
• Areas within DHHR Where Technology Could Improve Efficiency.
• Policy and Procedures Standardization Strategies.

KRM developed the ENTISAS™ program successfully for the DOD (Department of Defense)TMA (TriCare Management Activity).  This program was delivered 5/31/2007.

ENTISAS (Enterprise Information Security Assessment System) is an Enterprise-wide Information Security repository useful for analyzing security risks, threats and vulnerabilities as well as mitigation plans and protections profiles and other information security elements across multiple organizations and organizational elements.

KRM modified the Enterprise Information Security Analysis System (ENTISAS™) system, based on the Risk Database system originally developed for OCTAVE. KRM has also developed a web-enabled front-end and enhanced security for the ENTISAS™ repository. Additionally, KRM has modified the product to accept data feeds from various vulnerability scanning systems.

Click Here to learn more about ENTISAS™.

This product has been DITSCAP certified.

KRM provided expertise in HIPAA Privacy and Security Regulations.  KRM has significant experience in HIPAA Privacy and Security regulations that was integrated into the assessment and mitigation methodologies developed. KRM has assisted government and civilian organizations in refinement of their information privacy and security practices and has continued with supporting the emerging HIPAA requirements. Such experience has been instrumental in developing realistic strategies for compliance with HIPAA legislation and with privacy and security “best” practices in general.  Work experience includes:

• Developing an approach and tools to automate site-level capture of security risk assessment results, collection of sites’ data into a centralized data repository, and analysis of the agency-wide information.
• Using results of risk assessments individually and in the aggregate as input to a gap analysis to develop remediation strategies, assess remediation-related funding requests, and develop various alternative-funding options based on maximizing return on investment.
• Developing a business case analysis methodology and using it to examine the applicability of products, tools, and techniques for addressing information security and HIPAA-related requirements. 

KRM provided support for the Veteran's Administration Health Information Security Division in Martinsburg, West Virginia.  The scope of this project included:

An overall goal to establish and operate a world-class HISD that would develop, implement, and evaluate security solutions addressing health data and health information systems, including security standards, access control, and access to health data by external groups.

The VA and other CHIS user organizations established a documented, repeatable, on-going process to measurably improve the security of their sensitive data, and demonstrated its value to its user community by:

• Raising awareness of healthcare specific information systems, to include risks, vulnerabilities, and protection requirements for new and emerging technologies.
• Examining and analyzing vulnerabilities and devising techniques for the cost-effective security and protection of private health information maintained on VHA sensitive system.
• Developing standards, metrics, tests, and validation programs to:
  • Promote, measure, and validate security in systems and services.
  • Provide system-specific role-based access to staff members.
  • Establish minimum security requirements for healthcare systems.
• Developing guidance to ensure security is included in the system planning, implementation, management, and operational phases of the system life cycle.
• Assisting VHA in planning and implementing best security practices.

KRM was tasked to design, document, implement and operate a HISD Medical Device Security Assessment Center (MeDSAC) for VA test purposes (non-production). Product evaluations were conducted on biomedical devices and their associated software packages. The MeDSAC will support a joint endeavor between the Department of Defense (DOD) Teleradiology and Advanced Technologies Research Center (TATRC) at Fort Detrick, MD. KRM has executed a Cooperative Research and Development Agreement (CRDA) with DOD and Georgetown to support these activities.

MeDSAC can assess the following devices:

• FDA 510(k) Medical Devices
• Medical systems (Clients and Servers)
• New platforms being considered at VA facilities
• Tablet PCs
• PDAs
• Wireless

KRM served as a sub-contractor to conduct an Independent Security Control Assessment (SCA) of the Veterans Health Information Systems and Technology Architecture (VistA) system.  This SCA process supported the certification of VistA on three different computer platforms.

The purpose of the VISTA system is to support clinical and related activities within Veterans Health Administration (VHA) Medical Centers (VAMCs) throughout the country.  The VISTA system is currently installed on three computer platforms, VMS/DSM, VMS Cache, and W 2K Cache.  Testing was completed on each of the 3 platforms.   The VistA Legacy Certification Project developed a national methodology to accredit the VISTA Legacy system at the VHA’s 163 medical centers, to include meeting all OMB, NIST, and VA requirements to achieve accreditation.  The independent testing of security controls, was required to reach that goal. 
The VISTA system had to undergo the SCA process consists primarily of a Kernel and a suite of applications that interact with the Kernel Communication of data in VISTA uses HL7 and XML standards over VA local area networks (LANs) and the VA wide-area network (WAN).
 

This project was completed on time and within budget on 3/31/2006.

KRM provided subcontract support to the Advanced Technology Institute (ATI) in the execution of the Defense Healthcare Information Assurance Program (DHIAP), sponsored by the Telemedicine and advanced Technology Research Center (TATRC) for the U.S. Army Medical Research and Material Command at Ft. Detrick, MD. This program consisted of identifying potential risks and vulnerabilities in the protection of military medical healthcare information, providing recommendations for operational improvements and designing and delivering practical solutions. KRM focused on the development of methodology and metrics for performing technical business case analysis for information assurance technologies and solutions relating both tangible and intangible costs and benefits. KRM efforts involved technologies related to identification, authentication, encryption, auditability and related information security approaches. KRM designed and developed the original data analysis system for Risk Analysis utilizing web-based technology and a Coldfusion front end to an Oracle Database.

KRM was contracted by CERBERUS Capitol Company, LP to perform a Technology and Business Case Assessment of PriMed Technologies, Inc. (PriMed), a healthcare business solutions provider, in contemplation of a potential investment in PriMed to further develop and market their e-commerce healthcare solutions.  KRM analyzed the technology being developed by PriMed and provided CERBERUS with an analysis of the technology employed in the products, the uniqueness and marketability of the technology, and the business case prospects.

KRM's assessment included a review of PriMed’s technology that included in-person interviews with the primary officers and technologists of PriMed, and demonstrations of prototype software and actual operating systems either developed or licensed by PriMed.  Reviews of the business case and marketing plans were completed, as well as a web-based analysis of the product offerings, competitive strategy of the major competitors, and an exploration of the marketplace and marketability of the technology.
 

KRM performed an analysis of the application of the U.S. Army Medical Research and Material Command (USAMRMC), Telemedicine and Advanced Technology Research Center (TATRC) developed Organizationally Critical Threat and Vulnerability Evaluation (OCTAVE) process for application to the VA healthcare system. The analysis included a review of lessons learned within DOD healthcare and comparison of the environment and challenges within DOD to those applicable to the VA environment. Also included analysis of the Risk Information Management Resources (RIMR) and the Risk Database (RDB) system that stores information on multiple OCTAVES. This technology is based on an Oracle database and supports analysis of multiple solutions designed for data gathering.

KRM was contracted by the WV Healthcare Authority to develop healthcare information sharing policies, procedures, and systems for HCA's data sharing efforts pertaining to the private sector. This effort compliments the current public sector healthcare information that HCA has compiled and will provide more comprehensive information. This effort is intended to result in the establishment of a pilot project with the participants being the organizations sharing the data.

KRM provided project management, planning and technical support to Mountain State BlueCross BlueShield (MS BC/BS) in the overall design, development and deployment of a secure web-based insurance information system. This development built on existing technology developed as a result of an initiative supported by the National Institutes of Standards and Technology (NIST). The effort was targeted at provider specialist referrals, member eligibility verification, claims status inquiry, provider identification, and other areas identified by MS BC/BS. .

KRM was contracted with the West Virginia Statewide Health Information Network (SHINE) to support management and the operation of the organization, as well as provide technical project support for the SHINE/NIST ATP program. The mission of SHINE is to improve patient care by promoting and facilitating the development, implementation, operation and evaluation of healthcare information networks in West Virginia.

KRM provided technical and management support for SHINE who was selected by HOST to be a test site for a federally funded program. The National Institute for Standards and Technology (NIST), a part of the Department of Commerce, funds an Advanced Technology Program (ATP) with the purpose of encouraging high technology solutions to economic growth in America. Together with General Electric (GE) and Mountain State Blue Cross Blue Shield, SHINE has been funded to be the rural test bed.

KRM supported SHINE in serving as the test bed for a software solution that allowed a physician to access multiple payers’ information across the Internet. In the test bed, Mountain State Blue Cross Blue Blue Shield allowed access to their data for the purpose of inputting eligibility and referral information from an Internet browser. The resulting ‘next day’ posting of transactions will allow the physicians to check the results of the transaction instead of waiting for the regular method of reply, through regular mail.

KRM provided administrative, program management, and technical expertise to the Veteran's Health Administration HOST (Hybrid Open Systems Trial) program to support the identification, evaluation, piloting, and documentation of commercially available healthcare technologies.  KRM also assisted in the integration efforts to ensure a smooth implementation process of technologies, which proved beneficial to the VA.

Policy Development: KRM assisted in the development of VHA policy that reflected the VA HOST Program approach for achieving their mission, and assisted in the creation of high level planning documentation required to ensure that the VA mission and objectives were adequately researched and defined.

Planning Documentation:Assisted in the creation of high level planning documentation required to ensure that the VA mission and objectives were adequately defined and researched.

Directives and Procedures: KRM developed directives for establishment of a technology clearinghouse for VHA HOST, directives and procedures for pilot project selection, directives and procedures for pilot project execution, directives for buy-versus-build, policy for pilot project migration within VHA, and policy for program process and a program handbook.

Medical Systems Assessments: KRM evaluated and managed over 20 pilot projects involving medical information devices and systems including a number of the major systems that HISD will be assessing.

Technology Evaluation:  Assisted the VA as the focal point to assess commercial information technology that provided a functionality rich and cost-effective information system. Technologies evaluated improved operational and management reporting requirements, as well as provided robust enhancements mandated by the health care environment within the VHA. Each technology was evaluated technically, clinically, and from a business perspective.

Pilot Projects Support: Supported approximately twenty-five pilot projects in the assessment of various commercial applications across the country. KRM provided onsite, case by case project management and assistance that included report generation, management assistance, and technical assistance. Upon completion, KRM conducted independent assessments to evaluate and recommend migration potential.