Healthcare data management is the critical process of storing, protecting, and analyzing data pulled from various sources. Managing the treasure trove of available healthcare data “allows health systems to create holistic views of patients, personalize treatments, improve communication, and enhance health outcomes” (eVariant).
Thus, patient data is an essential component of the healthcare system without which it would be difficult to function.
The amount of healthcare data available is expected to reach about 25,000 petabytes by 2020 (eVariant). This means that managing that data must become a priority. Healthcare organizations need to become data-driven, with diligent administrators and physicians focused on collecting patient data, marketing departments focused on data insights, and patients prompted to update their data whenever they can.
Making data management a priority requires involvement from all players in the healthcare industry. Negotiating this level of buy-in can be a daunting, even overwhelming challenge. In addition, it makes the challenge of securing all of this data even greater.
Another level of difficulty lies in the COVID-19 pandemic. According to the Healthcare Compliance Association (HCCA), Google’s Gmail service reported that it saw more than 18 million daily malware and phishing emails related to COVID-19 scams in just one week, and more than 240 million daily spam messages related to COVID-19. However, only 45% of respondents to the global survey said they are concerned about the risk of being scammed during or about a health crisis.
Three practices to defend protected health information (PHI) include via Medical Economics:
Under HIPAA, patient data is supposed to be encrypted whenever possible. Any electronic health record system (EHR) is able to accomplish this. But practices should not rely on encryption alone to prevent their data from being stolen, as encryption relies on protecting access to the system, and there is a powerful human element at play there. Over 80% of security breaches are the result of human error.
That said, security training can prevent those sorts of breaches by education about phishing tactics and other such scams.
Controlling system access takes different forms depending on the type of EHR the practice is using.
For example, in a client-server network, the server that stores the EHR Is located on-site and providers and staff can access the EHR through their computer network. In these types of setups, the practice is usually responsible for setting up their own security.
However, in a cloud-based EHR, the application and data are stored on a remote server. Computers reach the EHR through a web browser. The cloud-based EHR vendor configuration security for its own servers, which means practices don’t have to worry about it.
Either way, the practice’s data security could still be at risk if a password is stolen or malware is in the network. The system is also vulnerable if older operating systems such as Windows XP are still in use, or if security patches are not being regularly applied to their computer systems.
If your practice uses a client-server system, it should have onsite backup, like a mirrored server, that can replace the main server if it goes down. All practices should have off-site backup, and all practices should maintain off site copies of their financial data, including data from billing systems, general ledgers and payroll systems.
A cloud-based EHR vendor will back up EHR data, so you won’t need to worry about it. But practices that are using client-server systems should back up their data on tape and move it offsite on at least a daily basis. These backups should be offline in case a hacker takes over the network. Finally, those backups must be encrypted or it is considered a security breach under HIPAA.
Other strategies to manage patient data include:
Authenticate users Provide remote access securely Adopt role-based access Don’t store data on user devices Use and scan audit logs Get business associate agreements