If data were measured in rocks, a new mountain would rise every day—and a major portion of it would come from healthcare organizations. Providers and experts are trying to determine the best way to store and protect sensitive healthcare information—a massive challenge in light of regulations, storage costs, and IT limitations.
Ninety percent of all the information ever known to mankind has been generated in the last two years (SINTEF, “Big Data, for Better or Worse,” ScienceDaily, May 22, 2013). And the amount is growing exponentially (see the exhibit below).
Unfortunately, storage capacity has not kept pace with data growth, so storage may become the Achilles heel of data centers. This situation is a fact of life for any enterprise, and it can be a matter of life and death when the data at issue is an individual’s protected health information (PHI). Unless secured, patients’ electronic medical records, billing and payment records, digital images, and other sensitive details can be illegally downloaded. Even medical devices like remotely controlled insulin pumps and cardiac monitors can be hacked and corrupted.
In short, data storage and security are monumental challenges and serious operational risks for any healthcare provider. IT experts are scrambling to find the best available solutions in a time of evolving data storage and security capabilities. The leaders and experts consulted agree that there is no one-size-fits-all answer to the question of how best to store and secure data. Various factors must be taken into account, including the organization’s size and budget, the types of data involved, and the expertise and willingness of staff to deal with the issues.
The Growing Risks
That thieves should find healthcare data valuable should come as no surprise. Ninety-four percent of healthcare organizations that responded to a 2012 survey reported at least one data breach in the previous two years (Ponemon Institute, Third Annual Benchmark Study on Patient Privacy and Data Security, December 2012).
In one expensive example, cyberthieves based in Ukraine and Russia hacked the payroll accounts of Cascade Medical Center in early 2013 and made off with $1.03 million. These cybercriminals used money mules (individuals who are duped into being conduits for the transactions) to transfer the money electronically to U.S. bank accounts and then by Western Union or MoneyGram to accounts abroad. It appears that nearly half a million dollars of the Washington public hospital’s money is “gone for good,” according to a June article in The Daily World.
In addition to stealing cash, perpetrators can illicitly obtain PHI to secure healthcare services to which they are not entitled. Such medical identity theft—one of the fastest-growing crimes in America—not only has an economic impact of more than $40 billion a year, according to the Ponemon report, but creates havoc in the lives of victims, who can suffer legal difficulties, financial consequences, insurance termination, and even adverse treatments or death.
The Current Reality
It is disappointing that the traditional IT infrastructure has not kept pace with these increased risks. Until recently, the typical approach to data storage and security has been for an organization to have its own data center. The building or department was secured by physical access controls, and the data were protected by user IDs, passwords, and other logical controls. But with the rise of Big Data—or large, complex data sets—the status quo has become especially worrisome.
Costs of data storage. For one thing, the costs of operating data centers, which use large amounts of water and energy and require a full-time staff, can be significant. One recent report found that the average annual operating costs for a typical 75-person data center ranged from around $10 million in Sioux Falls, S.D., to $24 million in New York City (see the exhibit below).
Cloud versus other approaches. Of course, the security of a data warehouse is only as good as the physical plant and the available staff and technology allow. For these reasons, many organizations are beginning to use cloud computing services (i.e., remote services accessed via the Internet) for their data storage needs. In the Ponemon study referenced earlier, more than 60 percent of the respondents reported moderate or heavy use of the cloud for data storage. But nearly half of them were “not confident” that information in the cloud is secure and nearly one-fourth said they were only “somewhat confident.”
With proper security, there can be advantages to using cloud service providers. For example, they help in making electronic health records (EHRs) more widely available to physicians in a health system, thus helping to comply with Stage 2 meaningful use criteria. They also convert what would otherwise be expenditures from the capital budget to routine operating costs, ensure business continuity in the event of service interruption, protect against malware and phishing, and relieve IT staff of mundane data management chores, such as replication, backup, etc.
But using the cloud (or even a hybrid approach) may also have some drawbacks, the experts say. There can be latency (speed of access) issues in accessing the cloud, challenges in migrating the data, regulatory problems if data are stored outside a U.S. jurisdiction, and vendor “lock-in” if the services are not vendor neutral. There is also the potential of financial failure of the cloud service provider or any of its downstream partners.
Given these concerns, a hybrid approach is sometimes adopted in which the cloud is used for nonsensitive information while critical information, such as PHI, is “held close” in a data warehouse maintained by the data’s owner and secured by traditional means. But even this is changing with the increasing number of healthcare-oriented cloud solutions. And, unfortunately, no matter where the data are stored, there is always some risk of a breach.
The following case studies share the data storage and security methods and challenges of two healthcare organizations.
Case Study: A Variation on Traditional Data Centers
St. Dominic Hospital in Jackson, Miss., chose a flexible data storage model after its storage infrastructure reached half a billion files in 2011. “This was a wake-up call,” said Wendell Pinegar, applications supervisor. “We were in danger of hitting the wall; in danger of running out of capacity, performance, or both.”
So the hospital purchased an in-house system based on scale-out, network-attached storage (scale-out NAS). Working with the vendor, in a matter of just a few hours, St. Dominic staff hooked up two storage clusters consisting of multiple, independent but integrated storage nodes. The new system accommodates all types of data, and it is scalable to adapt to future needs.
Flexible capacity and cost savings. “With scale-out NAS you can purchase storage nodes like building blocks,” Pinegar said. “If you need more capacity or greater performance, you just add another node or two and you have immediate growth.”
Pinegar compared the cost of in-house storage for the hospital’s picture archiving and communications system (PACS) versus outsourcing it to a public cloud storage vendor. “The conventional wisdom is that purchasing from a cloud provider is more cost-effective, but we found that this isn’t always the case.” In the end, he said, “We spent money on a solution that can handle various kinds of data and saved 70 percent over what PACS alone would have cost had we chosen a cloud vendor’s solution.” St. Dominic anticipates saving 50 percent on the total cost of ownership over a five-year period.
Fast access to data. In addition to consolidating various kinds of data, St. Dominic’s data infrastructure also speeds up access to information, which translates into increased productivity and better overall patient care.
“In health care, we understand that storage, while important, is only part of the puzzle,” Pinegar said. “Our main focus must always be on serving patients and assisting providers. If clinicians spend unnecessary time waiting for records, the quality of health care suffers, and it could even spell the difference between life and death in an emergency. With our new system, a record that might have taken six seconds to retrieve can now be accessed in less than a second.”
In traditional storage environments, the best performance is often achieved when there are just a few people using the system. But Pinegar sought a system that provided optimum performance during peak times and would continue to do so “on day one or day 1,000, regardless of how much the data grows.”
Because St. Dominic has a duplicate storage cluster available in a separate, nearby location, staff have the comfort of knowing there will be no loss of data continuity if one cluster fails. The hospital owns and manages both facilities, which gives IT staff more control than if the data were stored by an outsourced cloud vendor.
Secure protection. Pinegar uses industry best practices to ensure the physical and electronic security of all hospital computer systems, including the scale-out NAS. Encryption is available for data-at-rest using full disk encryption, and data are also encrypted while in transit. Storage administration includes a role-based security model and other features, such as write-once-read-many devices, in which information, once written, cannot be modified. This is used for retention of medical records.
Pinegar said, “When it comes to data security, there isn’t a one-size-fits-all approach. So we recommend maintaining a degree of flexibility on how you deploy applications and storage platforms. And you should look at nontraditional solutions, such as smartphone-based authentication, which can add an additional layer of security beyond biometric, smartcard, and other types of multifactor authentication.”
He explains that phone-based authentication makes sense given the number of employees who have their phones at work these days. When there is a good bring-your-own-device security policy, using smartphones for authentication can help increase user awareness and acceptance of security processes.
Case Study: A Hybrid Approach
Kirk Larson, vice president and CIO of Children’s Hospital Central California, located in Madera, Calif., uses a hybrid storage approach with some in-house data centers and some that are cloud-based.
For their PACS, Children’s uses a cloud-based but vendor-neutral archive, which means that the data can be moved easily to another cloud service provider if necessary. For their inpatient EHR they use an in-house data center. And for their ambulatory EHR, they use cloud storage.
Two different approaches. When asked why the different approaches to EHR, Larson said a committee of their ambulatory care physicians reviewed various products and chose the cloud service for outpatient records based on business need and functionality. “But we’ve done our homework and feel we have control over the data regardless of where it is stored,” he said. “The priorities may change, but whether data is maintained on premises or in the cloud, the same security principles apply.”
Larson adds that it is important to vet the vendors thoroughly. He says the IT team at Children’s has done that and feels comfortable with their cloud service partners.
Generally speaking, cloud providers are being used more for nonclinical applications than for clinical information, but the use of cloud solutions is on the rise for all types of data, said Mac McMillan, chair of the privacy and security task force of the Healthcare Information and Management Systems Society (HIMSS).
Risk aversion. One reason for the reluctance to use cloud storage, McMillan believes, is aversion to risk. “In the public cloud model, there are challenges because your data can be anywhere, including overseas, so the risks increase and you may not feel that you control security.”
A second reason for the slow uptake of cloud storage in health care is cloud providers’ wariness of healthcare regulation, in particular the HIPAA concept of “business associate.” Under the HIPAA privacy regulation, business associates are people or entities that perform certain functions or activities involving the use or disclosure of PHI on behalf of a health system or other HIPAA-covered entity. A business associate may be liable for privacy breaches and may be subjected to civil money penalties for violations.
For this reason, some cloud service providers are wary of doing business when PHI is involved, McMillan said. Larson agreed, adding, “Cloud vendors are beginning to realize that business associate agreements have teeth, so some of them are reluctant to deal with PHI.”
On the other hand, Larson would not be surprised if, in the future, we see some large health systems begin to make their own hosting systems available to smaller healthcare providers on a contract basis. “Hospital systems are already subject to HIPAA so the liabilities are not new to them. If they have capacity in their systems, they could become a business associate of small hospitals and physician practices for data storage purposes,” he said.
The View from Academia
In the past, most security efforts were focused on defining and defending a fixed perimeter around the computers where the information is stored and on securing the transmission paths where the data travels, said security expert John Carbone, PhD. “These traditional perimeter controls are necessary, but the proliferation of data and its ready accessibility make it nearly impossible even to define the ever-changing perimeter, let alone defend it,” said Carbone, who partners with professors to develop graduate-level cyber security and engineering curriculums and is a 25-year software consultant for military and federal contractors.
Future security technologies. Ideally, true data security would mean that each data object (i.e., email, photograph, document, CT scan, etc.) could only be accessed and used according to the authentication rules set by the original owner of the information. This is what Carbone calls persistent control—the ability always to restrict how, where, when, and by whom a digital object can be used.
“Placing persistent controls on each piece of data establishes provenance, expiration times, usage rules (e.g., the authority to read/write, copy, print, forward, etc.), and an audit trail that tracks all interactions for the life of the data,” he said. “Plus, each object should be individually encrypted both at rest and in motion, accessible only by authorized users whose identities can be authenticated.”
Some leading-edge technologies are available that do what Carbone is referring to: apply a control to each data object that is as unique to it as a serial number is to a dollar bill. Although these products are not yet widely used in the healthcare sector, they are being evaluated by the military and federal organizations. If such controls were used, he said, the data owner would not have to rely solely on the users being who they say they are or knowing a password.
Authentication techniques. Currently, various authentication techniques are used, each with a different level of security, including the following:
- Self-attestation (ID and password)
- Credit card match
- Credit bureau verification
- Key intelligence questions (e.g., “What street did you live on when you were 10 years old?”)
- Biometrics, such as retinal scan or fingerprint identification
- In-person verification, such as at airport security
Data owners must choose the kinds of controls that match their level of security desired and the sensitivity of the data, Carbone said.
Encryption safeguards. Currently, data that are being exchanged or in transit are typically protected by encryption. But traditional encryption methods alone do not necessarily meet the safe harbor standards of the HIPAA rule. The federal rule provides specific guidance for making PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” If a healthcare provider encrypts PHI in a way that complies with this guidance and nevertheless discovers a privacy breach, it will not be required to provide breach notification to affected individuals (74 Fed. Reg. 42740, Aug. 24, 2009 and 45 C.F.R. §164.402, definition of “unsecured” PHI).
“All encryption solutions are not the same,” Carbone said. “So you must focus on being able to prove that PHI was properly encrypted at the time of a breach, if it were ever necessary to do so.”
When choosing encryption, Carbone suggests the following:
- Look for solutions that prohibit users or applications from transmitting unencrypted PHI.
- Prevent encryption being turned off by users without authority to do so.
- Log the encrypted/decrypted status throughout the life of the data.
The bottom line: There are advantages and disadvantages, risks and rewards, to any data storage and security strategy. Security breaches—whether in the cloud, a hybrid system, or a local warehouse—erode confidence in the healthcare system and can have serious regulatory implications.
C-level healthcare executives should learn enough about the available technologies to be able to charge their IT people with exploring possible security enhancements. New technology can help decrease risks while helping to improve the quality of care. Organizations must be meticulous in their approach to data security and generous with their investment in it.
These and many other factors must be considered, and regardless of the approach one chooses, every organization must strive for constant improvement. As Pinegar said, “We believe data security is a journey, not a destination. We are more secure and more capable this year than we were the year before, and we constantly reassess where we may be vulnerable and what we may need to do to improve in the future.”
J. Stuart Showalter, JD, MFS, is contributing editor, HFMA Legal & Regulatory Forum.
Interviewed for this article (in order of appearance): Wendell Pinegar is applications supervisor, St. Dominic Hospital, Jackson, Miss. Kirk Larson is vice president and CIO, Children’s Hospital Central California, Madera, Calif. Mac McMillan, FHIMSS, is chair, privacy and security task force, Healthcare Information and Management Systems Society. John Carbone, PhD, is affiliated with Texas A&M University-Commerce, Commerce, Texas.
Publication Date: Wednesday, November 06, 2013