In a healthcare environment that promotes patient engagement, making sure information remains confidential is paramount. Whether information is shared between physicians or with the patient themselves, measures must be taken to insure both the security and integrity of the data.
Every vendor in the healthcare sector offers various levels of security, but how much is enough still has yet to be defined. Hacker attacks increased 600% in the first 10 months of 2014 versus the prior year, and data breaches occur almost daily. Data security is an issue of extreme importance.
The HIPPA Security Rule, which is a subset of the HIPAA Privacy Rule, requires implementation of three types of security safeguards: 1) administrative, 2) physical and 3) technical. These address both the access and confidentiality of the data.
Access means the ability or the means necessary to read, write, modify or communicate data / information or otherwise use any system resource. Confidentiality means that data or information is not made available or disclosed to unauthorized persons or processes.
Administrative safeguards are administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect ePHI and to manage the conduct of the Covered Entity’s workforce in relation to the protection of that information.
Physical safeguards are physical measures, policies and procedures to protect a Covered Entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion.
Technical safeguards mean technology and the policy and procedures for its use that protect electronic health information and control access to it.
The combination of all of these safeguards are designed to reasonably and appropriately protect the data. Unfortunately there is no clear cut definition of what constitutes “reasonable and appropriate” nor is there a definition of what can be considered “necessary”. This leaves facilities to implement whatever they feel are satisfactory measures.
Sadly, the security used is often not enough, especially given the plethora of breaches that have been publicized, including the latest the Premera record breach that affected up to 11 million records. Given that HIPAA penalties can be as high as $10,000 per record, any breach is one too many and 11 million can be considered catastrophic.
Endpoint encryption provides the most basic level of data security, and most healthcare companies provide some degree of end-to-end packet level encryption in all data transfers. Interestingly though, more than 41% of healthcare organizations do not use endpoint encryption, even though approximately one-third of employees work remotely at least once a week.
Many vendors provide encrypted URL’s within the integration of a secure EMR as well as optional encryption for additional data. A few companies go several steps further though and provide encrypted passwords throughout the ecosystem. Vendors wishing to have their systems used within the federal government (VA hospitals, etc.) need to adhere to a much higher standard. This often entails using the Federal Information Processing Standard (FIPS) 140-2 that provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. An even higher standard is the one mandated by the Department of Defense known as DIACAP (DoD Information Assurance Certification and Accreditation Process) which has since been replaced (in 2014) by the DoD’s Risk Management Framework (RMF) for DoD Information Technology (IT) standard.
So how much is security is enough and how much is too much? A recent study by the Ponemon Institute noted that 43% of security breaches across all industries occurred within the healthcare industry. That is scary.
There are tradeoffs with each security approach. If you make data easily accessible to both clinicians and patients without unduly restricting access, you open up the chance that an unauthorized party may also have access to it. Make data too restricted and it becomes a logistical nightmare to try obtain. Biometrics may provide a cost-effective answer, as may other advanced technologies under development. Until then, each facility needs to conduct its own risk analysis to determine if the security in place meets the minimum standards and protects not only itself, but its patients as well.
I did a Google search for “healthcare innovation” and came up with all sorts of hits: “FDA approves novel implanted sensor to watch heart failure”; “Infographics are revolutionizing the patient experience”; “New hepatitis C drug – a priceless breakthrough”; “Big Data has big potential” and wondered just what constitutes something innovative? A lot of that depends on where you look.
Typically, when you use the word “innovative” in the healthcare market sector, it addresses a new drug, a new modality or even a new imaging technique. Yet while healthcare IT may employ new hardware to increase speed or provide a more secure environment for the data that resides on it, the applications that run with the hardware are usually what sets them apart and are considered innovative. That flies in the face of traditional thought processes relating to innovation.
The dictionary says that “innovation is a new idea, device or process,” but that significantly limits how an idea is implemented. Wikipedia’s version is a bit more expansive and includes “…the application of better solutions that meet new requirements, unarticulated needs, or existing market needs. This is accomplished through more effective products, processes, services, technologies or ideas that are readily available to markets, governments and society. The term innovation can be defined as something original and more effective and, as a consequence, new, that ‘breaks into’ the market or society.” Imaging IT often requires better solutions, especially as it relates to new requirements, both those mandated by the “do more with less” mantra along with state and federal standards.
So just what makes an innovative company? Looking at the customer needs and finding a solution that is done better, faster or cheaper than others do it can be considered innovative; but, it’s how and when they do it that makes the difference. Computer-aided diagnosis is an example of an imaging technology that can be considered innovative, while medical image sharing might be considered another.
Most PACS share the same basic display protocols, yet a few vendors display images in a slightly different manner. Many PACS require the entire study to be loaded before images can be viewed, yet some vendors allow for images to be loaded in the background while the current images are being viewed in real time. That’s innovative. Most PACS vendors today talk about using the cloud or having an enterprise-wide solution. That in itself is far from innovative; yet, doing this over a decade ago, when cloud utilization was in its infancy, can definitely be considered innovative.
Integrating radiology and cardiology PACS into a single seamless clinical imaging system without the use of a broker or customized API can also be considered innovative. Using a single common core at the server level that can handle both data management and workflow for multiple departments across the enterprise is considerably different than interfacing a host of disparate systems and giving a new name to the patched solution. Many facilities also have multiple databases they have to query to compile a patient record so anything that unifies a patient record or disparate systems seamlessly can be considered innovative.
Linking documents, waveforms, audio files and more, while still far from commonplace today, was almost unheard of a decade ago. Select vendors were showing the promise of a multi-media PACS that far back, as well as offering a solution for viewing images remotely in the days before cell phones and tablets. All of these too can be considered imaging innovations.
Radiology has made great strides in the years since Wilhelm Roentgen first detected X-rays in 1895. Electronic imaging has made equal strides since its introduction just under 100 years later. Increases in efficiency and productivity have been the hallmarks of PACS leading to improved health outcomes and better overall patient care. Anything that improves either of those two areas is innovative.
With the advent of patient engagement imaging, companies need to provide innovative ways to protect the data while also allowing it to be shared. Several solutions exist now yet many more will be needed as hackers find new ways around data encryption schema firewalls and other devices designed to protect the integrity of PHI.
Innovation is all around us and applying these advances in the right way can change the way healthcare operates.
Ask ten people what big data means and you get ten different answers. Nearly all will agree that it includes data sets that are so large in volume (terabytes to petabytes) or complex in nature that traditional data processing applications can’t be used. The one thing nearly everyone in healthcare will agree on is that data can drive not only marketing and sales, but diagnoses and outcomes as well. That said, having big data and using it are two different entities. Who does the analysis and what the outcomes of that analysis are often determines not only the future of a company, but often the end results of patient care.
In most companies, big data is used to help identify the customer’s needs. Sadly, marketing often remains separate from the rest of the enterprise and may be operating without the benefit of the available data to promote products. While this data can be used to customize the end-user experience and to eliminate the one-size-fits-all solution commonly offered today, customers are still faced with approaches by vendors that only minimally tailor solutions to them – and consumer patience is wearing thin. The information needed to address the specific needs of the customer is becoming more and more available, but getting it into the right hands remains a challenge.
In healthcare, big data remains largely unproven, although that hasn’t stopped companies and vendors from jumping on the big data bandwagon. Big data analytics was a hot topic at HIMSS 2014, and it no doubt will be again this year. The promise has been promoted that big data can provide a better quality of care and reduced expenditures, but the evidence to support those claims – at least to date – is somewhat tentative at best,
Big data analytics takes mounds of data from many disparate sources to discover patterns that could be useful in problem solving. These sources typically include clinical, financial and operational data and often work in the cloud as well. Much of it is designed to allow patient interaction by taking a proactive, or preventative, approach. Clinical data is typically normalized and validated from across the continuum of care to often include not only medications, lab results, vital signs, demographics, hospitalizations and outpatient visits, but also physician notes and lab results, taking advantage of both structured and unstructured data.
One of the more interesting areas where big data is used is pediatric cardiology, where analytics are applied to make patient-specific recommendations for treatment. The Pediatric Cardiac Critical Care Consortium (PC4) uses big data to try and improve the quality of care by collecting data on clinical practice and outcomes from each patient’s medical record and analyzing the data to provide clinicians with timely performance feedback. This fosters a culture of continuous improvement through analytics and collaborative learning. This disease-specific registry is also essential as we move towards a value-based healthcare system.
Big data in radiology is more about decision support than anything else and plays an important role in defining the way radiologists use clinical decision support systems to assist them in reading images. According to a recent survey, nearly 89% of radiologists said they always use the clinical decision support software computer-aided diagnosis (CAD), yet only 2 percent said they often change their interpretation based on CAD. The confidence simply isn’t there because the universe, while seemingly large, isn’t nearly as large as it needs to be to instill the degree of confidence required by radiologists. Rather than relying on individual studies, each clinical course and data would be saved and made available for decision support, capturing not just the data in a patients in electronic medical records but their radiology data, as well. These large data sets could be used in the future in clinical decision support systems like CAD to study patients with similar characteristics and to calculate the likelihoods of malignancies and other diseases. Putting these in a format that allows for data mining requires some additional coding and tagging but in the long run it will make the data easier to organize and search through and should improve both radiology diagnoses and ultimately patient outcomes through improved diagnostic capability – all made possible through the use of big data.