Until just a few years ago, a surgical center's IT needs were fairly simple: A single-server system with a few workstations for the business office was sufficient. Relatively small volumes of data and limited bandwidth made data security and networking a relatively straightforward matter. But all of that has changed. The new driving forces are primarily digital imaging, mobile computing, faster computers, bigger storage systems, and increasing staff and patient sophistication. And then there are HIPAA security rules, a federal mandate for fully electronic health records by 2014 and the automation of your supply and equipment companies.

Unfortunately, the IT budgets for many new surgical construction projects are based on assumptions that are no longer relevant, and planning for technology infrastructure is an afterthought at best. A surgical facility that employs digital imaging, voice recognition transcription, paperless records and network-enabled biomedical equipment is considered somewhat of a miracle, yet those technologies are commonplace in most other industries. Here's a primer on the IT components you should build in from the beginning.

The space in your place
There are several reasons you need to dedicate significant, separate space to your computer networking and storage systems. Computer systems generate more heat because they're more powerful, and they do it in a smaller space, because the form factors (the cases containing the processors) are getting smaller. So today's server systems require more fans for cooling, which consume power and generate noise. In addition, the HIPAA security rule requires that servers and storage systems be in a secure location that's inaccessible to both patients and general staff.

As a result, you can't tuck your server systems under a desk in the business office or in a supply closet - you need a designated space that's properly designed by an architect with power and cooling needs in mind. Oftentimes, this space can be shared with equipment for phone, nurse call and access control systems. If you don't plan for this space up front, you'll likely incur significant costs to supply sufficient power and cooling later.

An example: Construction on an eight-room ASC was nearly finished when it was discovered there were no plans for a server/telecom room. One had to be created in the basement by boring through the cement floor and installing extra cooling and power capabilities - for an extra $20,000. Another facility I saw had a server room, but no cooling. The price tag on that change order was $8,000.

Getting connected
The two primary issues here are bandwidth - which is governed by the cable types you'll be using - and the number of jacks that will be available. Category 5 cabling is certified at 100 megabits per second and has been the standard for more than 20 years. Category 6 cabling is certified at one gigabit per second (10 times faster) and only about 20 percent more expensive.

So on the former system, a single user could access a 6-megapixel diagnostic image in about five seconds. Sounds fast, but additional users slow it down. With a CAT6 network, though, 10 users could simultaneously access different 6-megapixel images in roughly five seconds. Although CAT5 is acceptable for now, I'd recommend CAT6 cabling.

The number of data drops should be generous. I'd recommend three per work area for a phone and a desktop. The extra jack will likely come in handy later for a scanner, printer, credit card terminal or additional computer. It only costs about 20 percent more to install these triples. You should also consider cabling pre- and post-op areas to support network-enabled patient monitoring devices. All cabling should be at least CAT5, so they can support voice-over-IP phone systems.

Liberally place data drops throughout ORs. At the very least there should be one each at the head and foot of the table and on the ceiling. Even if you're not initially installing booms or image capture equipment, it's a good idea. When you do get there (and it's a matter of when, not if), why shut down the OR for longer than necessary to open the ceiling and install a $300 data port? Put it in during construction.

At the core
Your servers and storage system form the core of your IT system. The design and capacity must be based on the combined requirements of all the applications you'll use it for: scheduling, billing, imaging, accounting/finance, dictation, reporting and more. Otherwise, you'll end up with a patchwork quilt of systems that can't talk to each other, limiting your ability to be productive and to comply with the government's impending EMR requirements.

Also, the "minimum specifications" provided by software vendors are just that: enough horsepower for the system to power up. If you want it to run well, opt for the recommended specs and, better yet, double them. It'll pay for itself in improved productivity and extended system life alone. You should have the ability to double both the memory and storage of your servers so you can extend its use life when need be, but it doesn't have to be sized to run a small city.

Many software vendors would have you believe that you only need a single server (one that runs their software). But as you likely know, no single software package supports all your clinical and business needs, along with back-office applications like accounting and e-mail. Plus, HIPAA security requires centralized control of all user access and security. You need a core server - a gatekeeper of sorts - that you can use to control user access and all the other servers. New applications that necessitate an additional server can then be added on in building-block fashion.

Back it up
You know how critical data storage is - especially if you've ever run out of hard drive space or lost a hard drive. You have a lot of options for this critical component of IT infrastructure regarding growth potential, security and performance specs; work with an experienced system integrator to design and implement the one that's best for you. The most common cause of data loss is hardware failure, primarily due to power loss or spikes. You can address this risk with mirrored storage, a system in which all data is stored on at least two physical drives.

To protect data from the second leading cause of data loss - user issues - perform offline backups regularly and keep the backed up information inaccessible to most users. Offline doesn't necessarily imply off site, which can create its own issues. Many financial institutions have had their backup tapes stolen in transit. In another case, a medical administrator took backup tapes home nightly, only to have them held hostage by the spouse after an argument. There have also been cases of backup tapes being contaminated by moisture or dirt offsite, rendering the data unusable or damaging the backup units when inserted.

Web-based backup services have become more popular, but these pose significant difficulties. First, transferring even a few gigabytes of data over a T1 circuit - the fastest available - takes many hours. For server systems of 300 gigabytes or more, a Web-based service simply is not feasible. Second, the survivability history of these services has been poor. It just makes more sense to have an in-house data backup system under your control.

Safety patrol
I touched on data security a bit earlier when I talked about not removing backup information from the facility. But it's not quite that easy; there are both internal and external components to be addressed within the core IT infrastructure. Unfortunate-ly, in many cases security is added as an afterthought, if at all.

HIPAA security rules and good business practices dictate that you control security centrally from the core server. All applications should pull the security information from this core server; if there are multiple security schemes, they can trip each other up and compromise the integrity of your data. Segregate what users can do using your IT system according to job functions. Many times I've seen users wrongly set up as administrators because the network security isn't set up right. This is a huge risk and should never be done.

Dealing with external security concerns begins with a hardware firewall as well as anti-virus, anti-spam and anti-spyware software, all driven and enforced from the core server and not from individual workstations. Remote user access should be done only through a hardware virtual private network with software pre-installed on client-owned equipment. We do not recommend Web-based/retail remote access services. Wireless networks need to be securely encrypted, although sometimes a separate, public network segment is set up to allow visitors access only to the Internet.

To protect the system from internal security issues, the core server needs to require "hard" user names and passwords - a combination of both letters and numbers, nothing that spells out a word, and with system-enforced password changes. A strong employee use policy must also be implemented, as user behaviors can diminish or even defeat system security. Workstations need to be set to lock up after a few minutes of inactivity.

Preparation, not procrastination
Just as with all capital equipment investments, you can run the risk of over-investing. Focus on the core components discussed here. They are essential in the build phase; peripheral items (such as wireless tablets) can always be added or upgraded later. Whether you're building or remodeling, count technology issues among your priorities. Consult with IT professionals to plan for current and anticipated IT needs, so that your future capabilities can be adopted far more cheaply than if your facility requires a do-over later.