Picking an IT Vendor

July 15, 2005

Steve Rebagliati, MD, MBA, cuts through the technobabble and gives you straightforward advice on the gear you need to succeed. This issue: Choosing a vendor.

Thousands of technology companies are vying for your dollars. Whether you are looking for an EMR, management software, or even just an operating system for your desktop computers, it can be amazingly difficult to figure out which vendor will give you the best product, best price, and best support.

I've worked with many of them, but I still can't say that each and every practice should buy this or that product from just this or that vendor.

Still, some basic ground rules can guide your vendor-selection process.

Here's the inside information on how to select a technology vendor from an expert in the field - Jay Abramovitz, president of Software Technology Group, a biomedical engineering and software development firm in Beaverton, Ore.

Abramovitz is himself a biomedical engineer by training and has consulted with healthcare information technology firms, helping them improve their product offerings for medical practices.

I asked him to share his views on the most common pitfalls to avoid in automating your medical practice.

Three rules

Abramovitz's rule of thumb, which he uses when buying technology for his own firm (and he buys a lot of it), is to avoid vendors who:

  • Support only a single software platform. It's important not to be too firmly tied to one platform. It's equally important that your vendor support several versions of whatever software you're using. For example, for greatest flexibility a company that specializes in Microsoft products should provide support for both Windows XP and Windows 2000, and possibly earlier Windows versions as well.
  • Don't sell nationwide. This suggests an immature company that won't have the resources to support its products.
  • Are relatively new. Abramovitz says that he doesn't like so-called "bleeding edge" technology. In fact, he tells me that despite the fact that he runs a high-tech firm he will buy only software and hardware that's been on the market for at least two years.

What about HIPAA?

Don't simply believe what a vendor's marketing department says about a product's HIPAA compliance because, says Abramovitz, "HIPAA means different things to different people." Does the HIPAA compliance feature you're being told about really work? Is it even necessary? It's hard to know at first glance.

Abramovitz's approach has been to independently verify a vendor's security claims. How?

"We hire a network security analyst to do a 'black hat/white hat' test," he told me. In such a test, the analyst runs a system first from a "white hat" perspective, verifying that a product has the security features described by the vendor. Then the analyst does a "black hat" test, with the permission of the client, on mock data to see if he can hack, degrade, corrupt, or otherwise compromise the security of the system. If a system survives this challenge, it's probably secure.

This kind of in-depth analysis generally is reserved for large firms able to spend $30,000 or more on a comprehensive audit. However, Abramovitz explained how small and medium-sized medical practices can conduct their own versions of black hat/white hat tests, at a reasonable cost. You can download this information for free by going to www.infotechfordoctors.com or in the "Tools" section of www.PhysiciansPractice.com. I'll summarize it for you in my next column.

This article originally appeared in the July/August 2005 issue of Physicians Practice.