When it comes to healthcare, profitability goes hand in hand with managing the explosion of data required to make accurate decisions while remaining compliant. How can organizations address issues around patient data portability, information transmissibility, communication between providers, privacy and security, and compliance? When constraints around trust and adoption of new procedures are likely, how can one area justify change that will ripple through an organization, creating new procedures and affecting the routines of front line providers?
Healthcare is in a state of flux, pressured by an aging population that requires increased care resources. Lifestyle choices of the past have come to reckoning today, while organizations work to educate and persuade patients to modify their behavior through wellness programs. In most developed nations the cost of care continues to outpace inflation. Health care providers struggle to communicate across disciplines and across organizational lines in attempts to coordinate patient care. Meanwhile, large amounts of patient data are collected and stored, left to languish in servers hither and yon, unable to be accessed by databases structured to only hold specific information. Compliance issues confound accessibility efforts, there is a lack of interoperability between applications, and a maze of privacy permissions to navigate.
In addition to the aforementioned drivers for change exerting pressure on healthcare, big data permeates all discussions of growth and change .
The ability to aggregate data from multiple sources is one factor for change, pushed by development and adoption of machine learning and artificial intelligence within the healthcare sphere. Telemetry systems strain the capabilities of site based storage. Decisions around the suitability of cloud storage, the security of it, questions around compliance and responsiveness of cloud storage in light of possible cost savings add elements of possibility and uncertainty.
Healthcare CFOs in hospitals, imaging centers, surgical centers, and more are under unrelenting demands to reduce costs as profit margins continue to narrow. Medical directors must ensure better patient care, personalized to each patient and with individual information immediately accessible per HIPAA guidelines. The IT Manager must keep all of this electronic protected health information (ePHI) secure. Operations managers face competitors who use sleek marketing campaigns to boast of increased inpatient flow and met operability targets. How can a single facility not just meet these challenges, but exceed them?
The Healthcare Insurance and Portability and Accountability Act (HIPAA) was signed into law in 1996 with the intent to "improve the portability and accountability of health insurance coverage". Further developments established privacy and security guidelines. After a period of revision and comment, the HIPAA "Privacy Rule" was published in 2002. According to hhs.gov, this critical element of the Act is meant to, "assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being." Health plans, health care providers, digital clearinghouses, and even business associates and contractors such as billing, claims processing, and data analysis companies are responsible for meeting these privacy requirements.
The requirements to comply with HIPAA became an impetus to digitize healthcare records, as outlined in the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009, which then lead to the Meaningful Use incentive program.
Central to these criteria was the establishment of electronic health records (EHR). While today's digital records mostly replace bulky files in physical storage, they do still have storage demands that can tax infrastructures and budgets. Patient data can encompass decades, contain information from multiple providers, and hold hundreds of imaging sequences from a single appointment.
The growth of medical record data is astronomical. In fact, some estimates put a 40% growth on data storage needs annually. Dealing with this level of electronic data is an enormous challenge, but when one considers the privacy conditions to be compliant with HIPAA, the complexity of maintaining responsive yet secure storage intensifies.
Rising IT infrastructure costs are one more hurdle to managing data demands and privacy requirements. Hardware, software, and networks need regular updating and upgrading. Computers, mobile devices, medical devices, telemetry tools and other connected devices do more than produce data-- they are greedy for limited bandwidth. Remote management programs and licensing fees for ubiquitous tools like Microsoft Office and Adobe, not to mention vendor specific applications, add to the bottom line. How does one decide how to best distribute limited funds in an environment with so many competing priorities?
In addition to addressing infrastructure cost considerations, healthcare IT administrators also need to consider the potential cost of data loss. Severe weather events such as earthquakes, hurricanes, tornadoes, and fires can destroy servers holding digital health records. Unfortunately, climate data shows an increase in frequency and intensity of these kinds of disasters.
Catastrophic floods due to intense precipitation, river flooding, and coastal storm surge especially threaten to immerse on-site servers that have not been designed to cope with natural disasters.
Security breaches also threaten electronic health records. About half of data breaches are the result of human error and system glitches. The other half of breaches are rooted in malicious intent or criminal behavior. The cost for all types of data breaches is steep, and for no industry as high as healthcare. In fact, the 2018 Cost of Data Breach Study ranks each industry's cost per breach. Healthcare sits at the top of the list, at $408 per person--almost twice the next highest, finance.
All breaches, including hacking and ransomware attacks, make recovery costly indeed. Churn, when customers leave a business for another one, is most noted post attack in healthcare, leading at 6.7%, almost twice the average of all other industries. This shows that customers must trust that their healthcare data is protected, and if they believe otherwise, they will take their business elsewhere. Given the "value based" model beginning to dominate healthcare today, providers must be equipped to prove positive outcomes over time. Should patients leave because of lack of trust, there will be no viable timeline to measure progress.
Cloud storage has been a much bandied about term, but as such, it is also shrouded in misconception to the point of being a buzzword. After all, isn't everyone "in the cloud" and "migrating to the cloud", or getting ready to deploy a cloud-based XaaS?
First, what exactly is meant by cloud? Cloud computing simply means using on-demand computing services. This can include applications, power, and storage, among other things. These are stored in servers, not on the user's computer and generally not on site. The information travels via the Internet to the user, who has access to it when needed, sometimes only paying for what is used at that time. Specifically, cloud storage refers to off-site storage. When a person walks into a cloud storage facility, after noticing the solid structure around it and getting through security, they would see a large room full of stacks of servers and banded wires running overhead. Some areas may be separated from the rest, as a particular tenant may have bought a set amount of servers for their exclusive use. That's the physical, definitely not fluffy, literal look at the cloud.
One purpose of that server farm is to provide Infrastructure as a Service (IaaS). This is where servers and storage, networking, and data centers are managed by the vendor. The client remains in control of applications and operating systems.
But the converse is also true. When well managed, healthcare cloud storage can ensure data retention, lead to greater productivity, and save money. Health care providers can access secure patient records at any time and share pertinent information with other professionals. Large files are stored without worry of taking up too much space. Data is positioned for the application of analytics programs that can lend insight to everything from patient throughput to predicting readmission likelihood. Advances in artificial intelligence, now widespread in radiology but expected to affect other medical disciplines, can be run on flexible storage space as needed. Machine learning programs that can decipher dark data, useful but previously unusable records because of data readability issues or mistaken beliefs that they were unimportant elements of a patient's record, will be able to work on "smart" EHRs as organizations move toward precision medicine.
Telemedicine, still in its infancy, is anticipated to grow annually by almost 20% over the next five years. All of those appointments will be digitally recorded and will need to be stored. Cloud storage will be necessary for future adaptation to healthcare developments.
But how can healthcare cloud storage make an immediate difference in a company's operation? Washington Heights Imaging, a large imaging provider for the greater New York area, used a legacy picture archiving and communication system (PACS) that was slow and did not have a user-friendly interface, providing a substandard overall user experience that hampered efficiency and productivity. When they moved to cloud storage, clients received improved turnaround speeds and ease of use. Patient results were automatically incorporated into their EHR so that doctors did not have to manually add radiology reports. DICOM files could be shared and accessed by various providers, and easily read on their existing radiology applications. Through a series of cascading organizational and technical changes made possible by cloud storage, IT costs were reduced by over half. The transition to cloud storage was seamless, and data redundancy in two separate data centers means that their records are secure from disaster or hacking attempts. And finally, because of greater client satisfaction and EHR interoperability, more doctors are referring patients there for imaging.
This is the most primitive version of "cloud". It uses a company's own servers or other hardware on location to store data and provide cloud based software. In that, it is not IaaS but rather part of a strategy for deploying SaaS. It is not generally scalable nor does it offer other qualities that one associates with cloud storage. Do not confuse on-premise storage with private cloud storage, which is discussed below.
Hybrid, at its root, means of mixed components. In this case, there are a few versions of hybrid cloud, and the components vary. Public cloud is where a cloud storage provider manages and maintains the hardware and infrastructure, and deploys it via the internet. This is in contrast to private cloud, in which a single organization or corporation purchases, maintains, and manages every element of the system.
Hybrid cloud can be comprised of a private and public cloud. A company may choose to maintain local control of some information in it's own data center, however large or small that might be. It could also migrate other data to a public cloud vendor, or use a public cloud service to run SaaS and PaaS applications.
Hybrid cloud can also mean using two or more different public cloud service providers. Cloud storage has been widely used for over a decade, and some organizations have legacy systems that "have always been" part of a certain cloud provider's offerings, so the organization has never felt the need to change. Others use multiple clouds as a double-failsafe for critical data, or are in various stages of the merger-acquisition process and have yet to consolidate under one umbrella.
In this, an organization contracts with a cloud hosting company to privately manage all of their data. Instead of sharing a bank of servers with other clients, a single organization rents or buys tenancy in a data center for its exclusive use and with a guarantee that there will be no other client using those dedicated servers, even ones which currently have no data on them. With a private pure cloud, the entire capacity of the system is purchased up front and paid for even when not in use. Benefits to this setup are that the hosting company still manages the system and maintains it, and that physical and cyber security already in place in the larger data center also guard the organization's private servers.
Public pure cloud refers to cloud storage that is shared among a cloud storage provider's clients. Facilities are managed by the provider, and clients have the benefits of scaling up or down as needs dictate. Storage, computational power, and applications can be instantly provisioned for each client's individual situation. There is no need to pay for more than is being used, application availability is not limited, and security for all is intact. Being able to take advantage of this agility through economies of scale makes this an attractive model, as is the need for a lower up-front investment as compared to a private cloud model. The public pure cloud is also reliable, since it distributes resources across the entire network of data centers an organization's information is protected even if there is an issue at one location, the others can pick up the network load until the problem is resolved. For healthcare organizations using a public pure cloud, the reliability issue is a major factor in guaranteeing patient access for HIPAA compliance.
We live in a data-dependent landscape. Having the tools to store and process the ever increasing amounts of data our lives produce powers our ability to respond to change with agility. This ability comes with responsibilities, legal mandates for storage and use as well as ethical considerations tied to such personal information as healthcare data. Moving beyond talk of compliance and technical conditions, the irony is that all of these 0s and 1s actually open the doors for us to be better humans. Data lends the insight, but we are the ones who can act on what it reveals. Wise use of the massive amount of healthcare data compels us to create a better emergency waiting experience, provide individualized care to rural populations who lack transportation to state of the art facilities, to monitor vital functions from afar and remotely regulate anomalies. This data can be used to train machines to see imagining abnormalities and lead to quicker intervention, can catch genetic resistance to different chemotherapies, or find a previously unknown pharmaceutical therapy.
Practically speaking, all of this data needs storage. Storage that is flexible, scalable, and secure. Reducing costs to hold this data, being able to contribute to better patient outcomes while saving money, and meeting federal healthcare use and storage initiatives are the immediate reasons for selecting reliable and secure HIPAA compliant cloud storage. All of the good things mentioned above are long-term benefits that require long-term storage solutions.
HIPAA compliant cloud storage business relationships begin with a Business Associate Agreement (BAA), but also should have a Service Level Agreement (SLA) that outlines specific responsibilities. According to hhs.gov, SLAs can include provisions that address such HIPAA concerns as:
Before reaching the SLA level, organizations considering cloud storage should ask questions and compare different providers. Those questions could include the following:
Due diligence in all of these areas is critical. Maintaining the integrity, reliability, and accessibility of patient data is of paramount concern. These questions are a jumping off point to get conversations started, but engaging the expertise of an independent auditing company is worth serious consideration, as they may see areas of potential strength and weakness that are not readily apparent to those without significant experience in managing the cloud migration of highly sensitive information, especially on an enterprise level.
A successful cloud storage migration begins with a thorough analysis of the current and anticipated needs of the healthcare facility and the financial resources for such a change. The organization should ensure that it is HIPAA compliant in how it currently handles data, so that irregularities are not simply being transferred to a new environment. Project managers with enterprise level cloud migration experience will be necessary for a large scale, successful migration.
Because such a migration will affect everyone who touches an organization's ePHI, there needs to be a strong champion with C-level authority and leadership to enact such a change. There will be a ripple effect, and resistance from some is to be expected. Activating a multi-departmental internal change team that can mobilize robust internal PR, marketing, and education initiatives could be an essential element in making a technical transition effective on a system-wide, human level.