Outcome-Based Healthcare’s Data Ownership Challenge

Joe Gaska

By Joe Gaska, CEO, GRAX.

Healthcare is highly regulated when it comes to data security and privacy, and rightly so. Patient data is ultra-sensitive and any changes made to records could literally cost someone their life. Regulations from HIPAA to U.S. Food and Drug Administration 21 CFR Part 11, stipulate the need to exercise best practices in IT to keep electronic patient data safe, which is why legacy healthcare technology vendors like Cerner and Epic are so focused on guarding against unauthorized access and cyber attacks.

As more and more providers transform to outcome-based healthcare models, however, the ability to minimize risk of data exposure is getting harder to do. That’s because, in order to increase efficiencies and optimize patient care, organizations are increasingly introducing cloud-based, or SaaS, applications into their processes. They leverage these applications to analyze data and get insights related to patient journeys, treatment pathways, the cost of care delivery and even the efficacy of various medical devices.

The compliance challenge

While this is essential to do, it also complicates regulatory compliance since it requires moving or copying data from your infrastructure into other applications. Every time a new application is introduced, healthcare organizations essentially need to get that vendor to sign a BAA (Business Associate Agreement) to accept responsibility for the safety of patients’ health information and maintain appropriate safeguards. Yet even with an agreement in place, organizations are still at risk. HIPAA and other compliance measures require audit trails, which are more difficult to maintain with SaaS applications.

In addition, because users need SaaS data for analytic and other purposes, they’re likely to download, make their own copies and store it in their own folders and systems. This data sprawl increases potential access points and vulnerabilities.

All of which begs the question, how can organizations help protect sensitive data while still leveraging that data in a way that works to improve outcomes? The answer lies in data ownership.

The solution

Where data is stored is critical to how accessible, secure and auditable it is. One way organizations can help make improvements on all counts is by bringing data storage in-house instead of keeping it in SaaS vendors’ applications where there is less control and visibility, and where more hops are required by users who need to access the data. When a company owns their data in this way, they can set appropriate controls and better trace the digital chain of custody.

This can be accomplished by backing up historical SaaS app data directly from the app into your organization’s own secure cloud infrastructure, such as AWS or Microsoft Azure. Having the data in your own cloud makes it easier, and less costly, to maintain a digital chain of custody. And the more frequently data is backed up, the better organizations can track changes, find anomalies that may signal breaches and ensure auditability over lengthy time periods.

Pooling data from multiple cloud apps into a centralized, unified cloud data lake where authorized users can access it also reduces the number of hops, minimizing risk of exposure. It can also reduce the number of copies circulating – and the compliance risk that comes with it. Another important benefit is that healthcare organization users can access the data in a secure way and stream it into additional business intelligence tools, gaining even more insights.

Compliance and the Cloud

There’s no denying that in order transition to outcome-based healthcare and reap its benefits, organizations must take advantage of cloud-based applications and data analytics. To make sure privacy and security compliance aren’t at risk, it’s important to own your data. Storing cloud-app data in your organization’s own AWS or Azure infrastructure is a simple, effective and affordable way to help control who accesses data, maintain audit trails and prove compliance.

Write a Comment

Your email address will not be published. Required fields are marked *