Protecting Patient Data Throughout Its Life Cycle
Healthcare organizations are modernizing their systems to bring greater efficiency, speed and cost savings to their processes. While the digital transformation promises to bring doctors and patients closer together and improve the quality of care, there are many complexities around how patient data is entered, stored, and protected that must be understood.
The Journey of Patient Data
Recently, I injured my knee, prompting a doctor visit and then an MRI. While lying motionless on the MRI table, I contemplated all of the data I was generating. When I called to schedule the visit, they matched my patient record to the appointment. When I arrived at the doctor’s office, I provided updates about insurance and other details. A nurse then checked and documented my vitals. Once the doctor arrived, he reviewed my electronic health record, asked me questions, and examined my knee while typing updates into my file. He then sent an electronic prescription for pain medication to my pharmacy and issued an MRI referral. During my MRI visit, I went through the same process and then a digital MRI was added to my record. A few days later, my doctor called me to review the results, set up a treatment plan and schedule follow-up visits.
After my visits, my data digitally crossed through scheduling, EHR, PACS, prescription systems, a population health database, and many other systems. I thought about where all of that data is now. It’s still in the primary instances of each system and has been mirrored for disaster recovery. A few backup copies were made and some of the data was sent to an analytics application (probably a few of them). A copy was made to the reporting server for primary and disaster recovery. There could have been an anonymized version of the data created for research or analysis. At a minimum, there were at least 5-10 copies of my data out there a week after my visits. Over time, that number will continue to grow. Especially when there are system upgrades, refreshes, testing, development, QA, and training.
With Data Growth Comes Increasing Security Concerns
While my single record updates were relatively minor, my medical facility saw hundreds of patients that day. I started thinking about how much storage they would need to keep up with the load. Then the dark recesses of my mind kicked in and I realized how many copies of my personal information just got propagated from this single set of instances. It was sent between many different systems, devices, applications, and locations. How confident was I that all versions of my data were consistently protected, as the value of the information varied wildly based on how it was being used? Is it safe from hackers and protected in the same way when used for QA versus production? As it transferred between from production to disaster recovery, or from production to reporting, was it encrypted? When backups were taken, was my data exposed in transit or is it exposed now as it sits somewhere in a backed-up state? How about those reporting instances? Is that encrypted and protected from prying eyes?
HIPAA and Other Regulations
Seeking to calm myself, I focused on HIPAA and the privacy protections it outlines. That, combined with other federal, state, and local regulations helped settle my nerves. The penalties for data breaches and careless use of patient health information are severe. I knew I should rest assured that all of these instances are well protected but then I did more research.
In the last two years, 90 percent of all healthcare organizations suffered at least one data breach with an average cost of $2.2 million per hack. The average rate for individual medical records on the black market is $363, higher than the price of data from any other industry and is the most targeted industry by hackers. It’s a big and scary problem.
When my records were stored in paper files, I only had to worry about someone stealing a bunch of heavy and cumbersome file folders or faxing them somewhere to share my information. A series of locks and other physical security devices often did a good job of preventing this. Worst case scenario, there could have been a fire and my record was lost if my patient folder was stored elsewhere. This got me thinking more about disaster recovery and the potential for data corruption.
Make Sure Your Storage Provider Has Got You Covered
Having spent many years working in healthcare organizations and for storage companies, I’ve had to solve these problems in several ways. Traditional approaches and technologies are costly (uplift for encryption cards, licenses, or self-encrypting drives), highly complicated, and inconsistent. A modern solution, like Nimble, removes the uplift cost, eliminates the complexity, and extends protection and reliability throughout the data lifecycle. At a minimum, thinking through the journey of patient data requires a serious conversation with your partners and vendors. Are they as concerned about protecting the data as you are? Never assume they are or that they have all the capabilities that you need.
Using Nimble, healthcare organizations can rest easy at night knowing that their systems and patient data are always protected. To learn more, visit us at the HIMSS conference in Orlando, FL at Booth #6087 from February 19-23rd.
- Troy Wilson