Guest post by Jay Savaiano, director, worldwide healthcare business development, CommVault.
Healthcare professionals are inundated with an abundant amount of ways that they can access and store clinical data. Healthcare IT departments are given the task of making sure the delivery of that clinical data is readily available and can be accessed via a myriad of devices, as well as in a secure manner that meets the compliance standards that the entire enterprise has agreed on upholding. The deluge of data and the ever-changing ways that the data is accessed is creating some major challenges and concerns for the majority of professionals who are responsible for managing the nation’s healthcare information stream.
In a recent nationwide survey of healthcare IT managers in enterprise organizations, 75 percent of respondents – up 14 percent from last year – indicated they were concerned about the protected health information (PHI) residing in Bring-Your-Own-Cloud (BYOC) solutions, such as Box or Dropbox. A large number of BYOC solutions even offer the first 2GB of storage for free, which may speak to their popularity.
Today, smart phones, tablets and computers that have helped proliferate the popularity of “Bring-Your-Own-Device” programs all come out of the box with some sort of free cloud-based storage solution. Though Intel and ReadWrite report that 49 percent of U.S. IT managers “Strongly Agree that BYOD Improves Worker Productivity,” when you couple BYOC with BYOD together and add protected health information to the mix, healthcare organizations can be opening themselves up to a tremendous amount of liability.
With the policies inherent in clinical applications themselves, it is easy to maintain the security of the content, which is often structured and rarely stored locally. However, the challenge revolves around the unstructured data with PHI. For example, if a clinician maintains a spreadsheet of basic patient data and he or she places that spreadsheet in a BYOC-type solution, both the clinician and the healthcare organization are putting themselves in a liable position. Only when cloud-based solutions are authorized by the healthcare facility and meet the organization’s compliance criteria – which can and usually dictates the cloud provider is willing to sign a business associate agreement in support of HIPAA – are the organization and clinician able to limit the potential liability impact. There can still be other factors that create new liability, but by making the limitation of rogue cloud storage a priority, healthcare organizations can better protect themselves against a potential data breach and subsequent lawsuit.
According to 45 percent of survey respondents, another oversight in healthcare IT organizations is the lack of an enterprise eDiscovery solution to support regulatory compliance. An eDiscovery solution is an important player in collecting and searching your data, regardless of if it is stored on premise, on a mobile device, in the cloud, etc. Assuring litigation readiness and information governance is critical for most healthcare organizations, an eDiscovery solution can help reduce risk for the organization that has deployed it. Yet the lack of an eDiscovery solution could mean increased financial burdens should a lawsuit be filed against a healthcare organization; however, too often eDiscovery is not a priority for these organizations until an actual need arises. This usually means that an audit is occurring or a lawsuit is already in place, in which case it is often too late to deploy a solution. The combination of PHI outside of the enterprise and the lack of an enterprise eDiscovery solution increases risk and creates a ticking time bomb scenario for healthcare organization.
As disconcerting as both these findings are, the survey data can serve as a blessing in disguise, acting as the much-needed call to action for healthcare organizations to adopt holistic information management strategies that harness and protect data for the betterment of patient safety and healthcare overall.
The survey also suggests that healthcare data from a variety of sources is threatening to overwhelm our healthcare delivery system. Indeed, the healthcare industry is producing a mind-boggling amount of information on a daily basis. A specific example: Kaiser Permanente, the California-based health network with more than 9 million members, is estimated to have between 26.5 petabytes and 44 petabytes of patient data under management from its electronic health record (EHR) data alone, which includes images and annotations. This is the same amount of information that would be contained in 4,400 Libraries of Congress.  Additional data sources for healthcare organizations include the growing number of picture archiving and communications systems (PACS), new software applications and hardware solutions, and, as mentioned earlier, an ever-increasing number of healthcare professionals working on their mobile devices (BYOD), potentially beyond IT’s control.
While data management change is (hopefully) on the horizon for most healthcare organizations, the survey provides insight into the top three barriers to investing in data management solutions:
- Lack of funds
- Structure of funding incentives
- Lack of staff expertise
According to the survey, the number one driver in influencing healthcare organizations’ investment in data management solutions was to ensure regulatory compliance. The number two driver was to improve operational efficiency, and the number three driver was to have a plan for disaster recovery. As we indicated, enterprise eDiscovery solutions are vital in helping reduce risk to healthcare organizations, so it’s good to see that the top investment priority is in support of regulatory compliance. Further, healthcare organizations could improve operational efficiencies by consolidating point products with a single solution that can automate data protection and archive with workflows, policies and intuitive management tools. Modern data protection techniques integrated with virtual servers, de-duplication and data replication methods can seamlessly extend offsite disaster recovery with deep cloud storage interoperability to greatly reduce business continuity costs.
While the survey strictly took into account responses from healthcare professionals, we see parallels between these key drivers and barriers to greater peace of mind in many industries, including legal, government and finance. Being able to back up, recover and search data are just a few of the core requirements in today’s rapidly evolving data-centric world. As such, these drivers should be priorities for nearly all companies where long-term retention and protection of content is paramount to their organization’s survival and growth.
The increased growth and flow of healthcare data through our healthcare system will continue regardless of what protocols are put in place to manage that data. However, it can be managed and harnessed for the betterment of healthcare if the right strategies and tools are in place. Just like the Mississippi River, which is managed by a series of 27 locks and dams to manage its flow, the enormous amount of healthcare data require the same kinds of management and control solutions. Without them, the information flowing through our healthcare systems is nothing more than an untamed, wild torrent.