Helios.bridge: A bridge to the patient

Helios is a trailblazer in the digitization of administrative and medical processes in Europe. Using modules from ICW’s eHealth Suite, the hospital operator has developed a pioneering architecture with the objective of getting patients actively involved in digital treatment processes. Data protection and data security played a pivotal role in implementation.

Helios is Europe’s leading private hospital operator, with more than 111 acute-care and rehabilitation hospitals, 89 healthcare centers (MVZs), four rehabilitation centers, 17 prevention centers, and 12 nursing facilities in Germany alone.

Helios is an innovative enterprise, promoting digitization of administrative and medical processes in all its facilities and providing cross-enterprise value-adding services for patients and physicians. In the last few months, Helios has set up a centralized infrastructure called Helios.bridge for value-adding services, such as hello, the Helios patient portal, or integrated mobile apps. Helios.bridge can be integrated into the existing infrastructure of the Helios hospitals, supports open standards for interoperable data exchange between the facilities’ IT systems and the value-adding services, and meets current data protection requirements. Helios.bridge runs on Helios.cloud. This backbone infrastructure connects all the Helios locations and main computing centers (certified in accordance with the Reliable Data Center CAT III standard). All cross-institutional online services are also provided via this infrastructure. All Helios.bridge components and processes are therefore included in the certified information management system in accordance with ISO/IEC 27001:2013, and thus are also evaluated during the yearly audits by TÜV Rheinland, as well as independent external pen tests.

 

Architecture overview

To create Helios.bridge, a central IHE affinity domain was created using various modules of the ICW eHealth Suite:

Architekturübersicht

The messaging module MESSAGE FILTERING AGENT is installed in the local Helios facilities and forwards patient data to Helios.bridge once patient consent is given electronically. Helios.bridge includes a MASTER PATIENT INDEX, which receives patient identities from the local facilities via HL7 ADT messages and links them with a unique cross-enterprise patient identity. Links to registered documents are stored in the DOCUMENT & IMAGE EXCHANGE module. The documents themselves remain in the local archiving systems and are only requested when accessed. Communication with the archiving systems is based on IHE PIX and IHE XDS.b. Structured medical data such as case information, diagnoses, procedures, or lab results are transferred in the form of HL7v2 messages and stored in the CLINICAL DATA REPOSITORY module. The PROVIDER DIRECTORY module stores information about facilities and service providers in a central index that is used for unique identification of such information in referral scenarios. With the PATIENT ONBOARDING module, patients can register as users and link their user accounts with the associated cross-enterprise electronic patient record. This module also enables patients to manage their consents to data transfers and authorize their apps to access data. The APP CONNECT module provides numerous HL7 FHIR interfaces for secure bidirectional data exchange between Helios.bridge and the various value-adding services.

Data and use cases

Helios.bridge gives patients the ability to access a variety of medical information, including all the information that is relevant to them, if they have specifically authorized such transfers from the institutions involved. Once the current phase of the project is completed by the end of the year, this will encompass the following information and medical documents:

  • Administrative data
    – Patient data
    – Encounter data
    – Appointments
  • Documents and image data
    – Unstructured PDF documents (discharge letters, case summaries, laboratory and pathology reports, medication lists…)
    – X-ray, ultrasound, MRI, and CT images, photos (usually converted)
  • Structured data
    – Lab results
    – Diagnoses
    – Procedures
    – Forms

Users can also upload data to the Helios.bridge record themselves, e.g. via a mobile app. That data will then be available to the facilities for further diagnostic and therapeutic purposes. Below are three sample scenarios:

Scenario A: Forms to be filled out by the patient (self-check-in) in a wide variety of situations. For example, patients can provide their medical history ahead of a planned rehabilitation program by completing the complex VOMR (Vocationally Oriented Medical Rehabilitation) form, which runs to more than 10 pages, from the comfort of home. The form includes detailed questions about previous illnesses, previous treatments, medication, risk factors, current status, home and work situation, social environment, disability, and expectations from rehabilitation. The data from the form can be transferred into the HIS of the admitting rehabilitation hospital as an HL7 FHIR questionnaire response and will then be directly available to the treating medical personnel for their first interview with the patient.

Scenario B: Using wearables to record various parameters, such as body weight, blood pressure, blood sugar, and oxygen saturation, and transferring the device data to Helios.bridge via a mobile app. Metabolic surgery (gastric reduction) is one example of this type of use: During the preceding preparation period, which lasts for several months, the patient participates in behavioral therapy classes, and vital signs are measured regularly. This is especially important, particularly in terms of cost coverage by statutory health insurance companies. Wearables/smart devices record, transmit, and integrate data, which significantly facilitates this complex process.

Scenario C: Linking external sources in various scenarios via IHE interfaces (Cross Enterprise Document Sharing (XDS) and Cross Community Access (XCA)).

 

Data protection and data security

Helios.bridge was developed in close coordination with the competent authorities, so data protection and information security are ensured at all times. Access to Helios.bridge is protected by a three-level system. Multiple features are available to users depending on their security level:

  1. Registration and login
    – General information (e.g. hospitals, departments, contacts)
    – Booking and service functionalities (e.g. contact forms, appointment requests)
    – Free Wi-Fi
  2. Two-factor authentication
    – Retrieving personal information (consent and account management)
    – Access to the Messaging Center
    – Managing/canceling appointments
  3. Facility authorization
    – Retrieving health-related data
    – Access to medical information, data, and documents

 

To use the general information and service functionalities at security level 1, patients are only required to complete an informal registration process to set up a user account (username, password and e-mail).

Security level 2 safeguards access to personal information. This requires an additional user authentication process in the form of two-factor authentication (2FA). The two-factor process requires a second, separate confirmation of the user’s identity via the Helios Safe mobile app, which is installed on the patient’s device (smartphone).

2FA establishes the user’s identity by verifying two separate factors specific to that person (challenge response method), namely possession (smartphone) and knowledge (PIN). Thus, if the user wishes to access a level 2 (or 3) service, the Helios Safe app initiates the extra authentication process and the Access Pass (a smart icon) is displayed in the browser. At the same time, a request is sent to the user’s smartphone. After the user enters their personal PIN (or uses Touch ID), several smart icons are displayed in the app. The user must then select the one that is displayed in the browser. Upon successful authorization via the Helios Safe app, the user is automatically redirected to the desired service. Access to a patient’s medical data (security level 3) requires the user to specifically enable data communication in addition to the login and two-factor authentication.

The user must acknowledge the smart icon displayed in the browser in the Helios Safe app. Upon successful authorization, the user is automatically redirected to the desired service.

 

Enabling communication in Helios.bridge is a facility-based process carried out by the patient:

  • The patients are sent a PIN letter with a randomly generated, time-limited PIN code in advance of a stay in a Helios facility. Transfer of data from the facility involved (a whitelist entry in the Message Filtering Agent module) to Helios.bridge is enabled by entering both the code and additional selected information known only to the patient (secrets) in an online form.
  • Patients can revoke their consent to data transfer associated with that particular facility at any time. The user profile, accessed via two-factor authentication, includes an overview of all the facilities the user has authorized (Site List), where they can delete data from the desired facility that is already stored in Helios.bridge, and/or deactivate message forwarding from that facility (temporarily or permanently).

After the patient has enabled data transfer, various data and documents generated during treatment are registered in a cross-enterprise IHE Document Registry and loaded from the local archiving systems when needed.

All of Helios.bridge’s identity management and authentication processes (including PIN service) use the Patient Onboarding module, which provides a web-based graphical user interface. Authentication takes place there using the OAuth2 process via OpenID Connect, which is also mandatory for all authentication processes in the hello patient portal and for controlling access by other mobile apps.

 

Account management, access control, and consent

For Helios, the primacy of informational self-determination for users/patients is of the utmost importance. Use of Helios.bridge is therefore voluntary as a matter of course and does not have any effect whatsoever on the actual treatment process. The amount of information communicated to Helios.cloud and consumed from the cloud is controlled solely by the user, and the account management functionality provides them with tools that give them granular control over consents and access. This means that they have the option of going through the authorization process for each individual institution, or not. If they do choose to authorize it, data transfer can be stopped at any time, or suspended and then resumed. The user can also delete specific data and documents, all the data from a particular institution, or all the information stored in Helios.cloud. In terms of access to and delivery of data by external third parties, the user is able to control access, so that they can make granular decisions as to who will be allowed to read and supply data that concerns them.

In this context, third parties include (mobile) apps that want to exchange data bidirectionally with Helios.bridge, as well as other individuals (primarily physicians, who may be referring physicians, primary care providers, or others involved in previous, concurrent, or subsequent treatment) who are listed in the Provider Directory. In both cases, the user must explicitly authorize access. Finally, the user can delete his/her user account completely, including all data.