Guest Column | February 20, 2018

Where Should Healthcare Data Be Stored In 2018 — And Beyond?

By Bill Tolson, vice president of marketing, Archive360

Data Folder

New technologies offer leaps in healthcare capabilities, but the resulting explosion of data leads to new maladies to cure.

According to IDC, worldwide revenues for information technology products and services will grow from nearly $2.4 trillion in 2016, to more than $2.7 trillion in 2020, led by financial services, manufacturing and healthcare. As a healthcare IT professional, this probably comes as no surprise. You have likely been watching your data grow at an astronomical rate – and with it, the time and budget required to store, manage, and protect it.

As you know, diagnostic devices such as CT Scanners, MRI machines, X-ray machines, to name just a few, generate huge amounts of imaging data. And, as the technology continues to improve, the images get even bigger. The challenge with these images of course is that they must be saved for diagnostic activities, as well as regulatory compliance and legal preparedness.

A patchwork of national and local regulations dictate how long healthcare providers must maintain patient data, including diagnostic images. However, several years ago regulators added a new twist – demanding that all non-electronic patient health records must be converted to electronic formats. While this added seemingly impossible demands upon your already stressed IT, storage, data protection and security resources – making all patient data available electronically has provided numerous benefits as well, such as the ability to share and access it anytime, from virtually anywhere.

But, back to the regulatory demands… Hospitals are generally required to keep images for seven years, but many keep them much longer. Hospitals also retain backup copies as part of disaster recovery (DR) planning and to comply with the federal healthcare privacy laws. As a result, most medical image archives are increasing by as much as 40 percent annually.

The IoT And Healthcare

As the Internet of Things (IoT) has gained a sizable foothold in business environments, the healthcare industry has also experienced a growing incursion. These connected devices generate growing amounts of data which are further exacerbating existing data management and storage problems for the healthcare industry. Examples of healthcare IoT devices are:

  • Patient monitors
  • Drug delivery systems
  • In-room devices such as monitors and controls
  • RFID readers
  • Tracking devices and sensors for physiological measurements
  • Video cameras

These and future devices will continue to generate huge amounts of data subject to regulatory and legal requirements. The question is how can these new data streams be captured, secured, indexed and searched, exported, and managed for the long term?

Another issue the healthcare industry is facing is how to handle the expanding variety of data formats from these devices. Can the different data formats be stored in a common archive and made easily searchable?

Dark Data Is Valueless (And Dangerous) Data

Because much of this IoT data is not yet stored centrally, as much as 80 percent is considered “dark data” because it cannot be easily located, managed, searched and exported for business, regulatory and/or legal use.

To provide business utility, as well as meet regulatory and legal preparedness requirements, data needs to be collected, captured, secured, tagged and stored, so that it can be managed and searched efficiently. And, because data is now coming from numerous dissimilar sources, it will either need to be converted into a common format or, be managed by a system that can recognize and work with the varying data formats.

Healthcare Data Security

One need not be a healthcare professional to recognize the level of sensitivity attached to so much of healthcare data. Nevertheless, the healthcare industry continues to face significant challenges in its ability to protect its data appropriately. According to recent research from a number of industry analyst firms following this space, over 90 percent of healthcare data should be stringently protected as defined by regulatory guidelines, however about 55 percent-60 percent is only “somewhat protected” and about 40 percent-45 percent is “not adequately protected.”

This lack of effective security dramatically raised the liability levels for any healthcare organization. In addition to the internal IT and business headaches, the consequences of a data breach and/or loss can include enormous financial penalties, legal costs, and ongoing negative publicity which further negatively impacts the bottom-line. The regulatory penalties alone from the two most recognizable U.S. healthcare regulations, HIPAA and HITECH, include huge fines for privacy violations - e.g., with the introduction of the HITECH act, the maximum penalty per identical violation per calendar year is now $1.5 million.

With the quantities of data being generated by the healthcare industry, the regulatory climate and the specter of very public lawsuits again raises the original question; where can the healthcare industry store and protect all of this critical and sensitive data? In today’s climate, this question carries a much higher priority to resolve.

Secure, Scalable, Inexpensive: The Cloud Is The Only Viable Solution

Few would argue that healthcare data storage requirements are quadrupling every two-to-three years. This tidal wave of electronic medical information, including unstructured data, the IoT, and imaging records, will continue to put tremendous strain on individual healthcare data centers. In reality, the cloud offers the only viable solution for the out-of-control growth of healthcare industry data.

So if the cloud is the eventual destination for all medical data, what should healthcare organizations consider when creating their overall cloud strategy?

The first step in beginning a cloud strategy should be to fully understand what data is being generated and where it resides. As mentioned earlier, up to 80 percent of healthcare data is “dark” - because it is spread across numerous single point repositories and cannot be easily managed, searched, or exported for business use (medical or administrative), regulatory request, or eDiscovery.

Questions to address before you start purchasing technology include:

STRATEGY RELATED QUESTIONS:

  • Where are all of the devices and locations where your organization’s healthcare data can be found?
  • What type of storage is it residing on?
  • Does the data storage meet current regulatory requirements?
  • What is the fully loaded annual cost of storing, securing and searching your data?
  • What would these costs (estimated) be if you moved to a cloud solution?
  • What would it cost (and what are the benefits) of centralizing all healthcare data so it can be automatically moved to a cloud solution?
  • Should you migrate all of your current data to the cloud, or keep it in your current on premise system and only move new data to the cloud?

To Migrate Or Not Migrate, That Is The Question… Or, Is It?

The last question about data migration is an important one due to the potential cost associated with migration versus the cost of keeping data on premise, for what could be many years. This decision will directly affect your TCO and ROI calculations.

What is the fully loaded annual cost of storing, managing, and securing large amounts of sensitive data locally versus the cloud plus the required data migration? In reality the comparison is straight forward. The fully loaded cost of on premise storage including management and security is approximately $0.15 to $0.30 per GB per month. The cost of non-proprietary cloud solutions which meet healthcare industry requirements will run between $0.005 (5 tenths of a cent) to $0.07 per GB per month. Many cloud solutions provide extremely high levels of security (including data encryption at rest), data management capabilities, and geographical data redundancy. The cost of data migration can differ widely, ranging from free, to $7,000 per TB – the average being in the $1,000 per TB range, and depending on the cloud archive provider, even lower. In almost every case, the TCO and ROI will quickly highlight that data migration of your current data stores to the cloud will produce a highly positive ROI.

Once you have answers to the above questions, you can begin building your cloud strategy. After you have completed your strategy, you should discuss it with your legal team and insist on documented approval. I once had a General Counsel tell me that your legal team’s approval is your personal insurance policy in case legal or regulatory issues arise later.

The next step is to begin choosing the technology and vendor. You should proceed into the technology phase by addressing the questions below:

TECHNOLOGY AND PROCESS RELATED QUESTIONS:

  • Who are the biggest cloud suppliers in the healthcare industry?
  • Which one has the most healthcare industry references?
  • Can you choose and interview the references?
  • What are their SLA’s compared to other vendors?
  • Do they offer differing levels of storage i.e. Hot, Cool, Cold?
  • Do they offer geographically redundant storage (GRS)?
  • Have they ever been hacked and how long did it take them to realize it?
  • Do they offer encryption of data at rest?
  • Do they require you to provide them your encryption keys?
  • What data formats can they work with?
  • Does their system index all the data types your organization will encounter?
  • Is the archived data easily searchable?
  • Can you quickly apply litigation holds?
  • Does the system provide the ability to create retention/disposition policies?
  • Can copies of the data be easily exported?
  • Does the system offer granular access and functionality controls?
  • Are all actions within the system audited and reportable?
  • What is the fully loaded cost per GB of storage and management?
  • Does the cloud provider undergo regular security audits and re-certification?
  • Does the cloud provider completely understand their (and your) obligations under all applicable regulatory laws?
  • Do they have systems or partners in place to help migrate your current data in a legally defensible manner?

The answers to these questions will help you choose the best healthcare cloud technology and provider. And, here is a great place to start.

Microsoft Azure For Healthcare Data

There are a handful of select solutions providers that Microsoft has chosen to partner and align with. Based on these close relationships, these providers are able to build their solutions to enhance and fit with the Microsoft cloud, like a glove. For healthcare data, Microsoft Azure offers an ideal platform. But, you likely already know or are beginning to learn more about why that is true. You likely already know or are learning that Azure offers geographically redundant storage so your sensitive data is always replicated to ensure durability, high availability (HA), and compliance. And, Azure provides three cost effective storage tiers – Hot, Cool, and Archive so you can dynamically direct specific data to the most appropriate storage tier.

So, I will move to the next step. Once Azure is selected, to enhance and extend its capabilities, as well as lower overall costs, healthcare data management professionals need to seek a solution that is 1.) engineered specifically for Azure cloud services and 2.) offers native, connected intelligent data management and archiving applications that provide proactive, personalized healthcare data management across all organizations, departments, people and devices. Next, your solution must assure that your sensitive healthcare data is stored within your company’s own Azure instance.

But, don’t stop there. This is healthcare data after all. You need a solution that provides the management and archiving capabilities that allow you to set granular retention/disposition policies, create customized - on-demand indexing, set encryption capabilities, assign access controls, and produce detailed reports based on system-wide auditing. In addition, you will also like require a product that offers legally defensible data migration capabilities to the Microsoft Cloud.

By layering Azure with a solution such as this, you can ease your data management burden and dramatically lower costs, while protecting patient, clinical and business data from breach or intrusion, as well as ensure privacy, compliance with regulatory mandates, and proper data retention and legal holds are applied.

About The Author

Bill Tolson has more than 25 years of experience with multinational corporations and technology start-ups, including 15-plus years in the archiving, ECM, information governance, regulations compliance and legal eDiscovery markets. Prior to joining Archive360, Bill held leadership positions at Actiance, Recommind, Hewlett Packard, Iron Mountain, Mimosa Systems, and StorageTek. Bill is a much sought and frequent speaker at legal, regulatory compliance and information governance industry events and has authored numerous articles and blogs. Bill is the author of two eBooks: “The Know IT All’s Guide to eDiscovery” and “The Bartenders Guide to eDiscovery.” He is also the author of the book “Cloud Archiving for Dummies” and co-author of the book “Email Archiving for Dummies.” Bill holds a Bachelor of Science degree in Business Management from California State University Dominguez Hills.