With the advent of the electronic health record (EHR) and a dramatic increase in collaborative healthcare, many assume that the challenges related to patient data management have been conquered. However, while progress has been made, storage is still a sticking point.
Today, nearly all industries are struggling with ever increasing amounts of data. Hospitals are further tasked with the challenge of developing solutions that integrate data from patient systems with healthcare providers, payers, pharmaceutical firms and patients – all while adhering to compliance mandates.
Much of the issue surrounds the varied types of data stored; everything from emails and clinician notes to diagnostic tests and medical images. The sheer volume can be staggering. Consider that the business consulting firm Frost & Sullivan says that picture archiving and communication system (PACS) storage alone is growing at more than 20 percent annually in the U.S.
For many organizations, the answer is building a patient management solution on an enterprise content management (ECM) platform — one suitable for handling patient data effectively and securely. In addition to ECM, such a solution includes storage management and virtualization, data security, data migration and patient applications.
Enterprise Content Management in Healthcare
Managing a fast-growing store of various data types starts with capturing and intelligently managing all data related to a patient in an ECM system, such as those offered by vendors like EMC, HP, IBM and OpenText.
These systems can collect and manage both structured and unstructured data from a variety of sources. They can also integrate with existing applications such as enterprise resource planning (ERP), customer relationship management (CRM) and enterprise portals.
“The goal is to provide the plumbing to let an open path flow the right information to the right people,” explains Lalith Subramanian, vice president of technology and new ventures in EMC’s Information Intelligence Group. Getting maximum leverage from the data means collaboratively creating, managing, delivering and archiving the information needed for operational requirements.
Because of compliance concerns, security is a major part of healthcare-related ECMs as well. Healthcare ECM solutions are designed to ensure legal and regulatory compliance, including those related to billing, state licensures, medical certifications plus state and federal privacy and security regulations.
“You have to be able to not only seamlessly manage content and identify the different sources through which the data is being generated, but know that the right people are accessing the right information based on their role,” explains Mukul Krishna, director of digital media at Frost & Sullivan.
That requires role-based access controls, which allow only those with the right credentials to access the data. For example, the system could be set up so that patients have access to certain data only when in the hospital but not after leaving, or that insurance companies have access to different information than doctors or other caregivers.
Multi-level Security and HIPAA Compliance
When it comes to managing patient data, security is paramount at every level — not only within the content management solution. Making security the top priority is the only way to comply with federal healthcare security mandates — namely the Health Information Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH)/Meaningful Use Stage 2 requirements.
After ensuring that an ECM platform is fully compliant with those mandates, the next step is implementing some sort of enterprise rights management framework or policy wrapper, which protects data via encryption. The goal is to control access and usage of intellectual property and personal information. Vendors with trusted solutions in this area include Adobe, EMC, Microsoft and Oracle.
“We think of digital rights management as pervasive governance,” Subramanian says. “If you have it on a piece of content like a medical image, we cannot only check that you are the right person, we can also audit whether or not you looked at it, how many times, when, and from where.”
It’s also critical to have ironclad security on the network. This can help prevent everything from unauthorized access to devices to securing transfer of data outside of the firewall.
“Security is important at every level, from the server, to the network, to the movement of data from one point to another,” says Kathy English, Cisco’s senior director of public sector and health care marketing.
The type of security controls implemented will vary depending on where the data is being stored and what devices are being used to access the data.
If, for example, the organization has a bring-your-own-device (BYOD) policy and users are using a variety of mobile devices to access the network and the data, a content-aware, identity-based platform that collects and validates real-time information from the network, users and devices, is a good choice.
One example is Cisco’s Identity Services Engine (ISE). The application allows organizations to program usage and access policies and then enforces those policies across the network infrastructure.
“It allows you to define that if you are a doctor, for example, you can access this specific application containing patient information from this device from this location,” English explains. “If you are at a Starbucks, you will have a different level of access than when you’re in a hospital or at home. You can assign those rules based on policy.”
Another area where security is paramount is when migrating data outside of the internal network – perhaps to another facility. A good technology to implement for this scenario is data loss protection or DLP, which provides security for both data at rest and data in transit.
DLP helps detect security breaches as they occur with controls at both the device level and the content level. DLP solutions also allow setting policies and will enforce those rules. Vendors with robust DLP solutions include CA Technologies, Cisco, McAfee, Symantec, Trend Micro and Websense.
The Storage Component
With the twin challenges of fast-growing healthcare data and the need to meet compliance requirements, storage capacity and management concerns are front and center. These concerns are very real; most hospitals, for example, have to store data for at least 10 years, according to Frost & Sullivan.
According to storage vendor NetApp, healthcare data is growing at 146 percent compounded annually. This is largely due to data such as genomics, medical and document images and videos.
There are two ways to approach storage for patient data management — either by using a content management system that has integrated storage (such as solutions from EMC and HP), or by incorporating an independent storage system with the right requirements for managing patient data.
“A storage solution for healthcare has to be agile and expandable without requiring the organization to do a complete upgrade and conversion,” explains John McDaniel, national practice leader for the U.S. Healthcare Provider market at NetApp. “And it can never go down.”
What McDaniel is talking about is the idea that critical patient data — data that is being used to currently assess or treat a patient — be immediately available. Older or less critical data can be relegated to less expensive storage.
He recommends a combination of clustered storage area network (SAN) technology, which enables several storage arrays to be connected and function as one. The network attached storage can be used for storing, retrieving and securing large volumes of object-oriented data.
Clearly, all of the pieces of the puzzle are available today to make patient data secure and manageable. However, there is no one-size-fits-all solution, and no vendor can provide every technology required. However, Krishna says the industry is on the right track.