Ninety percent of all the information ever known to mankind has been generated in the last two years (SINTEF, “Big Data, for Better or Worse,” ScienceDaily, May 22, 2013). And the amount is growing exponentially (see the exhibit below).
Unfortunately, storage capacity has not kept pace with data growth, so storage may become the Achilles heel of data centers. This situation is a fact of life for any enterprise, and it can be a matter of life and death when the data at issue is an individual’s protected health information (PHI). Unless secured, patients’ electronic medical records, billing and payment records, digital images, and other sensitive details can be illegally downloaded. Even medical devices like remotely controlled insulin pumps and cardiac monitors can be hacked and corrupted.
In short, data storage and security are monumental challenges and serious operational risks for any healthcare provider. IT experts are scrambling to find the best available solutions in a time of evolving data storage and security capabilities. The leaders and experts consulted agree that there is no one-size-fits-all answer to the question of how best to store and secure data. Various factors must be taken into account, including the organization’s size and budget, the types of data involved, and the expertise and willingness of staff to deal with the issues.
That thieves should find healthcare data valuable should come as no surprise. Ninety-four percent of healthcare organizations that responded to a 2012 survey reported at least one data breach in the previous two years (Ponemon Institute, Third Annual Benchmark Study on Patient Privacy and Data Security, December 2012).
In one expensive example, cyberthieves based in Ukraine and Russia hacked the payroll accounts of Cascade Medical Center in early 2013 and made off with $1.03 million. These cybercriminals used money mules (individuals who are duped into being conduits for the transactions) to transfer the money electronically to U.S. bank accounts and then by Western Union or MoneyGram to accounts abroad. It appears that nearly half a million dollars of the Washington public hospital’s money is “gone for good,” according to a June article in The Daily World.
In addition to stealing cash, perpetrators can illicitly obtain PHI to secure healthcare services to which they are not entitled. Such medical identity theft—one of the fastest-growing crimes in America—not only has an economic impact of more than $40 billion a year, according to the Ponemon report, but creates havoc in the lives of victims, who can suffer legal difficulties, financial consequences, insurance termination, and even adverse treatments or death.
It is disappointing that the traditional IT infrastructure has not kept pace with these increased risks. Until recently, the typical approach to data storage and security has been for an organization to have its own data center. The building or department was secured by physical access controls, and the data were protected by user IDs, passwords, and other logical controls. But with the rise of Big Data—or large, complex data sets—the status quo has become especially worrisome.
Costs of data storage. For one thing, the costs of operating data centers, which use large amounts of water and energy and require a full-time staff, can be significant. One recent report found that the average annual operating costs for a typical 75-person data center ranged from around $10 million in Sioux Falls, S.D., to $24 million in New York City (see the exhibit below).
Cloud versus other approaches. Of course, the security of a data warehouse is only as good as the physical plant and the available staff and technology allow. For these reasons, many organizations are beginning to use cloud computing services (i.e., remote services accessed via the Internet) for their data storage needs. In the Ponemon study referenced earlier, more than 60 percent of the respondents reported moderate or heavy use of the cloud for data storage. But nearly half of them were “not confident” that information in the cloud is secure and nearly one-fourth said they were only “somewhat confident.”
With proper security, there can be advantages to using cloud service providers. For example, they help in making electronic health records (EHRs) more widely available to physicians in a health system, thus helping to comply with Stage 2 meaningful use criteria. They also convert what would otherwise be expenditures from the capital budget to routine operating costs, ensure business continuity in the event of service interruption, protect against malware and phishing, and relieve IT staff of mundane data management chores, such as replication, backup, etc.
But using the cloud (or even a hybrid approach) may also have some drawbacks, the experts say. There can be latency (speed of access) issues in accessing the cloud, challenges in migrating the data, regulatory problems if data are stored outside a U.S. jurisdiction, and vendor “lock-in” if the services are not vendor neutral. There is also the potential of financial failure of the cloud service provider or any of its downstream partners.
Given these concerns, a hybrid approach is sometimes adopted in which the cloud is used for nonsensitive information while critical information, such as PHI, is “held close” in a data warehouse maintained by the data’s owner and secured by traditional means. But even this is changing with the increasing number of healthcare-oriented cloud solutions. And, unfortunately, no matter where the data are stored, there is always some risk of a breach.
The following case studies share the data storage and security methods and challenges of two healthcare organizations.
St. Dominic Hospital in Jackson, Miss., chose a flexible data storage model after its storage infrastructure reached half a billion files in 2011. “This was a wake-up call,” said Wendell Pinegar, applications supervisor. “We were in danger of hitting the wall; in danger of running out of capacity, performance, or both.”
So the hospital purchased an in-house system based on scale-out, network-attached storage (scale-out NAS). Working with the vendor, in a matter of just a few hours, St. Dominic staff hooked up two storage clusters consisting of multiple, independent but integrated storage nodes. The new system accommodates all types of data, and it is scalable to adapt to future needs.
Flexible capacity and cost savings. “With scale-out NAS you can purchase storage nodes like building blocks,” Pinegar said. “If you need more capacity or greater performance, you just add another node or two and you have immediate growth.”
Pinegar compared the cost of in-house storage for the hospital’s picture archiving and communications system (PACS) versus outsourcing it to a public cloud storage vendor. “The conventional wisdom is that purchasing from a cloud provider is more cost-effective, but we found that this isn’t always the case.” In the end, he said, “We spent money on a solution that can handle various kinds of data and saved 70 percent over what PACS alone would have cost had we chosen a cloud vendor’s solution.” St. Dominic anticipates saving 50 percent on the total cost of ownership over a five-year period.
Fast access to data. In addition to consolidating various kinds of data, St. Dominic’s data infrastructure also speeds up access to information, which translates into increased productivity and better overall patient care.
“In health care, we understand that storage, while important, is only part of the puzzle,” Pinegar said. “Our main focus must always be on serving patients and assisting providers. If clinicians spend unnecessary time waiting for records, the quality of health care suffers, and it could even spell the difference between life and death in an emergency. With our new system, a record that might have taken six seconds to retrieve can now be accessed in less than a second.”
In traditional storage environments, the best performance is often achieved when there are just a few people using the system. But Pinegar sought a system that provided optimum performance during peak times and would continue to do so “on day one or day 1,000, regardless of how much the data grows.”
Because St. Dominic has a duplicate storage cluster available in a separate, nearby location, staff have the comfort of knowing there will be no loss of data continuity if one cluster fails. The hospital owns and manages both facilities, which gives IT staff more control than if the data were stored by an outsourced cloud vendor.
Secure protection. Pinegar uses industry best practices to ensure the physical and electronic security of all hospital computer systems, including the scale-out NAS. Encryption is available for data-at-rest using full disk encryption, and data are also encrypted while in transit. Storage administration includes a role-based security model and other features, such as write-once-read-many devices, in which information, once written, cannot be modified. This is used for retention of medical records.
Pinegar said, “When it comes to data security, there isn’t a one-size-fits-all approach. So we recommend maintaining a degree of flexibility on how you deploy applications and storage platforms. And you should look at nontraditional solutions, such as smartphone-based authentication, which can add an additional layer of security beyond biometric, smartcard, and other types of multifactor authentication.”
He explains that phone-based authentication makes sense given the number of employees who have their phones at work these days. When there is a good bring-your-own-device security policy, using smartphones for authentication can help increase user awareness and acceptance of security processes.
Kirk Larson, vice president and CIO of Children’s Hospital Central California, located in Madera, Calif., uses a hybrid storage approach with some in-house data centers and some that are cloud-based.
For their PACS, Children’s uses a cloud-based but vendor-neutral archive, which means that the data can be moved easily to another cloud service provider if necessary. For their inpatient EHR they use an in-house data center. And for their ambulatory EHR, they use cloud storage.
Two different approaches. When asked why the different approaches to EHR, Larson said a committee of their ambulatory care physicians reviewed various products and chose the cloud service for outpatient records based on business need and functionality. “But we’ve done our homework and feel we have control over the data regardless of where it is stored,” he said. “The priorities may change, but whether data is maintained on premises or in the cloud, the same security principles apply.”
Larson adds that it is important to vet the vendors thoroughly. He says the IT team at Children’s has done that and feels comfortable with their cloud service partners.
Generally speaking, cloud providers are being used more for nonclinical applications than for clinical information, but the use of cloud solutions is on the rise for all types of data, said Mac McMillan, chair of the privacy and security task force of the Healthcare Information and Management Systems Society (HIMSS).
Risk aversion. One reason for the reluctance to use cloud storage, McMillan believes, is aversion to risk. “In the public cloud model, there are challenges because your data can be anywhere, including overseas, so the risks increase and you may not feel that you control security.”
A second reason for the slow uptake of cloud storage in health care is cloud providers’ wariness of healthcare regulation, in particular the HIPAA concept of “business associate.” Under the HIPAA privacy regulation, business associates are people or entities that perform certain functions or activities involving the use or disclosure of PHI on behalf of a health system or other HIPAA-covered entity. A business associate may be liable for privacy breaches and may be subjected to civil money penalties for violations.
For this reason, some cloud service providers are wary of doing business when PHI is involved, McMillan said. Larson agreed, adding, “Cloud vendors are beginning to realize that business associate agreements have teeth, so some of them are reluctant to deal with PHI.”
On the other hand, Larson would not be surprised if, in the future, we see some large health systems begin to make their own hosting systems available to smaller healthcare providers on a contract basis. “Hospital systems are already subject to HIPAA so the liabilities are not new to them. If they have capacity in their systems, they could become a business associate of small hospitals and physician practices for data storage purposes,” he said.
In the past, most security efforts were focused on defining and defending a fixed perimeter around the computers where the information is stored and on securing the transmission paths where the data travels, said security expert John Carbone, PhD. “These traditional perimeter controls are necessary, but the proliferation of data and its ready accessibility make it nearly impossible even to define the ever-changing perimeter, let alone defend it,” said Carbone, who partners with professors to develop graduate-level cyber security and engineering curriculums and is a 25-year software consultant for military and federal contractors.
Future security technologies. Ideally, true data security would mean that each data object (i.e., email, photograph, document, CT scan, etc.) could only be accessed and used according to the authentication rules set by the original owner of the information. This is what Carbone calls persistent control—the ability always to restrict how, where, when, and by whom a digital object can be used.
“Placing persistent controls on each piece of data establishes provenance, expiration times, usage rules (e.g., the authority to read/write, copy, print, forward, etc.), and an audit trail that tracks all interactions for the life of the data,” he said. “Plus, each object should be individually encrypted both at rest and in motion, accessible only by authorized users whose identities can be authenticated.”
Some leading-edge technologies are available that do what Carbone is referring to: apply a control to each data object that is as unique to it as a serial number is to a dollar bill. Although these products are not yet widely used in the healthcare sector, they are being evaluated by the military and federal organizations. If such controls were used, he said, the data owner would not have to rely solely on the users being who they say they are or knowing a password.
Authentication techniques. Currently, various authentication techniques are used, each with a different level of security, including the following:
Data owners must choose the kinds of controls that match their level of security desired and the sensitivity of the data, Carbone said.
Encryption safeguards. Currently, data that are being exchanged or in transit are typically protected by encryption. But traditional encryption methods alone do not necessarily meet the safe harbor standards of the HIPAA rule. The federal rule provides specific guidance for making PHI “unusable, unreadable, or indecipherable to unauthorized individuals.” If a healthcare provider encrypts PHI in a way that complies with this guidance and nevertheless discovers a privacy breach, it will not be required to provide breach notification to affected individuals (74 Fed. Reg. 42740, Aug. 24, 2009 and 45 C.F.R. §164.402, definition of “unsecured” PHI).
“All encryption solutions are not the same,” Carbone said. “So you must focus on being able to prove that PHI was properly encrypted at the time of a breach, if it were ever necessary to do so.”
When choosing encryption, Carbone suggests the following:
The bottom line: There are advantages and disadvantages, risks and rewards, to any data storage and security strategy. Security breaches—whether in the cloud, a hybrid system, or a local warehouse—erode confidence in the healthcare system and can have serious regulatory implications.
C-level healthcare executives should learn enough about the available technologies to be able to charge their IT people with exploring possible security enhancements. New technology can help decrease risks while helping to improve the quality of care. Organizations must be meticulous in their approach to data security and generous with their investment in it.
These and many other factors must be considered, and regardless of the approach one chooses, every organization must strive for constant improvement. As Pinegar said, “We believe data security is a journey, not a destination. We are more secure and more capable this year than we were the year before, and we constantly reassess where we may be vulnerable and what we may need to do to improve in the future.”
J. Stuart Showalter, JD, MFS, is contributing editor, HFMA Legal & Regulatory Forum.
Interviewed for this article (in order of appearance): Wendell Pinegar is applications supervisor, St. Dominic Hospital, Jackson, Miss. Kirk Larson is vice president and CIO, Children’s Hospital Central California, Madera, Calif. Mac McMillan, FHIMSS, is chair, privacy and security task force, Healthcare Information and Management Systems Society. John Carbone, PhD, is affiliated with Texas A&M University-Commerce, Commerce, Texas.
TriMedx: Elevating and Streamlining Clinical Engineering
TriMedx helps health systems control costs and uncover savings opportunities by optimizing the clinical engineering function.
6 Patient Revenue Cycle Metrics You Should Be Tracking (and How to Improve Your Results)
Patient financial engagement is more challenging than ever – and more critical. With patient responsibility as a percentage of revenue on the rise, providers have seen their billing-related costs and accounts receivable levels increase. If increasing collection yield and reducing costs are a priority for your organization, the metrics outlined in this presentation will provide the framework you need to understand what’s working and what’s not, in order to guide your overall patient financial engagement initiatives and optimize results.
McKesson: Leveraging Predictive Analytics to Rein in Operating Costs
A leader from McKesson discusses how healthcare reform is forcing hospitals and health systems to take a different approach to capacity management and patient flow.
10 Ways to Reduce Patient Statement Volume (and Reduce Costs)
No two patients are the same. Each has a very personal healthcare experience, and each has distinct financial needs and preferences that have an impact on how, when and if they chose to pay their healthcare bill. It’s no longer effective to apply static billing techniques to solve the complex challenge of collecting balances from patients. The need to tailor financial conversations and payment options to individual needs and preferences is critical. This presentation provides 10 recommendations that will not only help you improve payment performance through a more tailored approach, but take control of rising collection costs.
Accretive Health: Partners with Providers to Excel in a Rapidly Transforming Revenue Cycle Environment
Emad Rizk, MD, president and CEO of Accretive Health, discusses the uncertainty facing hospitals and the transitions affecting revenue cycle management.
Reduce Patient Balances Sent to Collection Agencies: Approaching New Problems with New Approaches
This white paper, written by Apex Vice President of Solutions and Services, Carrie Romandine, discusses the importance of patient segmentation and messaging specifically related to the patient revenue cycle. Applying strategic messaging that is tailored to each patient type will not only better educate consumers on payment options specific to their billing needs, but it will maximize the amount collected before sending to collections. Further, targeted messaging should be applied across all points of patient interaction (i.e. point of service, customer service, patient statements) and analyzed regularly for maximized results.
Conifer Health Solutions: Helping Providers and Employers Build a Foundation for Better Health
Jim Bohnsack, vice president, solution & corporate development for Conifer Health Solutions, explains how the company helps healthcare providers leverage data to deliver better outcomes while optimizing reimbursement for all payment arrangements.
The Future of Online Patient Billing Portals
This white paper, written by Apex President Patrick Maurer, discusses methods to increase patient adoption of online payments. Providers are now seeking ways to incrementally collect more payments due from patients as well as speeding up the rate of collections. This white paper shows why patient-centric approaches to online payment portals are important complements to traditional provider-centric approaches.
Ontario Systems: Optimizing Accounts Receivable in a Rapidly Changing Environment
Steve Scibetta, senior director of channel sales for Ontario Systems' healthcare product line, shares insights into effectively managing receivables.
Payment Portals Can Improve Self-Pay Collections and Support Meaningful Use
Increased electronic engagement between healthcare providers and patients provides significant opportunities for improving revenue cycle metrics and encouraging patients to access EHRs. This article, written by Apex Founder and CEO Brian Kueppers, explores a number of strategies to create synergy between patient billing, online payment portals and electronic health record (EHR) software to realize a high ROI in speed to payment, patient satisfaction and portal adoption for meaningful use.
Optum: Enabling Transformative Change
Elena White, vice president of risk, quality, and network solutions for Optum, discusses how healthcare providers can leverage data and technology as they enable risk in their organization.
Large Health System Drives 10% UP (Patient Payments) and 10% DOWN (Billing-related Costs)
Faced with a rising tide of bad debt, a large Southeastern healthcare system was seeing a sharp decline in net patient revenues. The need to improve collections was dire. By integrating critical tools and processes, the health system was able to increase online payments and improve its financial position. Taking a holistic approach increased overall collection yield by 10% while costs came down because the number of statements sent to patients fell by 10%, which equated to a $1.3M annualized improvement in patient cash over a six-month period. This case study explains how.
Somnia: Bending the Healthcare Cost Curve Toward Improved Anesthesia Value
Somnia President and CEO Marc Koch, MD, MBA, explains how hospitals can drive transformative change in the perioperative experience for outstanding clinical and financial outcomes.
ICD-10: Managing Performance
With the ICD10 deadline quickly approaching and daily responsibilities not slowing down, final preparations for October 1 require strategic prioritization and laser focus.
PMMC: Navigating Revenue Cycle Management Challenges as Value Based Purchasing Emerges
PMMC President Roger L. Shaul discusses the effects of healthcare reform on revenue cycle management and how PMMC's products help clients adapt to a changing financial environment.
Clarity Drives Collections
Read how Gwinnett Medical Center provides clear connections to financial information, offers multiple payment options for patients, and gives onsite staff the ability to collect payments at multiple points throughout the care process.
Burgess: Simplify the Business of Healthcare
Greg Burgess, Founder and Chief Product Officer at Burgess Group shares insights and opportunities for payment integrity in the rapidly changing healthcare IT landscape.
Orlando Health Gains Insight into Denials, Reduces A/R Days with RelayAnalytics Acuity
Read how Orlando Health was able to perform deeper dives into claims data to help the health system see claim rejections more quickly–even on the front end–and reduce A/R days.
Revenue Cycle Payment Clarity
To maintain fiscal fitness and boost patient satisfaction and loyalty, healthcare providers need visibility into when and how much they will be paid–by whom–and the ability to better navigate obstacles to payment. They need payment clarity. This whitepaper illuminates this concept that is winning fans at forward-thinking hospitals.
Streamlining the Patient Billing Process
Financial services staff are always looking for ways to improve the verification, billing and collections processes, and Munson Healthcare is no different. Read about how they streamlined the billing process to produce cleaner bills on the front end and helped financial services staff collect more than $1 million in additional upfront annual revenue in one year.
Wallace Thomson Hospital Automates to Maximize Limited Resources
Effective revenue cycle management can be a challenge for any hospital, but for smaller providers it is even tougher. Read how Wallace Thomson identified unreimbursed procedures, streamlined claims management, and improved its ability to determine charity eligibility.
7 Steps for Building and Funding Sustainability Projects
Before launching an energy-efficiency initiative, it’s important to build a solid business case and understand the funding options and potential incentives that are available. Healthcare leaders should consider taking the steps outlined in the whitepaper to ease the process of gaining approval, piloting, implementing, and supporting sustainability projects. You will find that investing in sustainability and energy efficiency helps hospitals add cash to their bottom line. Discover how hospitals and health systems have various options for funding energy-efficient and renewable-energy initiatives, depending on their current financial structure and strategy.
Key Capital Considerations for Mergers and Acquisitions
Health care is a dynamic mergers and acquisitions market with numerous hospitals and health systems contemplating or pursuing formal arrangements with other entities. These relationships often pose a strategic benefit, such as enhancing competencies across the continuum, facilitating economies of scale, or giving the participants a competitive advantage in a crowded market. Underpinning any profitable acquisition is a robust capital planning strategy that ensures an organization reserves sufficient funds and efficiently onboards partners that advance the enterprise mission and values.
Key Capital Considerations for Mergers and Acquisitions
The success of healthcare mergers, acquisitions, and other affiliations is predicated in part on available capital, and the need for and sources of funding are considerations present throughout the partnering process, from choosing a partner to evaluating an arrangement’s capital needs to selecting an integration model to finding the right money source to finance the deal. This whitepaper offers several strategies that health system leaders have used to assess and manage capital needs for their growing networks.