Posted by: Jenny Laurello
Data management, data privacy and security, Data storage, HIPAA, PHI, PII, Privacy and security, Value chain
On July 19, 1989, a DC-10 crash landed in Sioux City, Iowa, killing more than a third of its passengers. Survivors said it was a miracle anyone lived; the flight crew was hailed as heroes. The tail section and right wing broke off as the plane caught on fire, bounced and flipped upside down. Debris scattered as far away as 75 miles. The cause? Microscopic cracks in the plane’s fan disk that formed when the disk was made. These tiny imperfections could have been prevented and should have been discovered during inspection. They were small links in a complex “chain” of parts that went into creating the airliner. But they failed.
When a privacy or security breach occurs in the health care chain, a break in just one link can be caught and managed. The problem arises when a series of imperfections across multiple links show up. Privacy and security must be addressed at each link. Policies and technology standards that only address a component of the value chain don’t address the larger ecosystem. The broader impact to the patient, physician, and health IT systems must be considered. Looking end to end at the chain enables organizations to make sense of how privacy and security work together holistically.
In the health care industry, the ability to use a simple cell phone app to help maintain a patient’s care is fast becoming a reality. Users will highly value this capability as long as it’s reliable. Safeguarding privacy and security within such mobile technology consists of a long series of links. The stronger the links, the more secure the “value chain.” But with the proliferation of medical apps for patients’ and physicians’ smartphones and other mobile devices, protecting the shared information presents a “hard rain” of challenges.
Smartphones and tablets have their own security and operating systems. Each device may use three or more Internet browsers, multiple email accounts and multiple non-health software applications. Not all software is designed the same, so the ability to interface with other applications varies. Protocols differ regarding how data is transmitted and accessed. As many as six different networks can pass along a patient’s healthcare information, including the patient’s mobile device carrier, a hospital Wi-Fi or wireless/wired network, a third-party telecommunications provider, a data center network, a personal physician’s network, and an insurance company network.
So where to begin?
List your value chain in detail to find the weak links. Think about these areas:
1) Smartphones/Tablets-What data is being accessed? What non-clinical data resides on the device? Who can access the device?
2) Applications/software platforms and integration-What data does the application gather? Who is responsible to update it and ensure compatibility with other software?
3) Networks-How is the data is transmitted: Wi-Fi, wireless, wired, communications providers?
4) Data storage-How is information stored? Where is it stored? Who manages it?
5) Access-Who needs access to the data: patient, physician, nurses, labs, pharmacists, payers, insurance company?
6) Management of data-Who manages the data as it’s created, stored and accessed: hospital IT staff, third-party data storage, payer, insurer?
Once you identify your value chain and the health of each link consider the following:
1) Review your current privacy and security standards and processes across your value chain.
2) Identify the critical path necessary to execute privacy and security safely and effectively.
3) Identify the silos that exist within your organization, and the dependencies of each.
4) Review ways to minimize risk regarding how PII works its way through your system.
Discover the health of your ecosystem and address issues early will keep catastrophic disasters from happening to your healthcare value chain.
This is part one of a series of articles designed to address the health care IT ecosystem. Each of the six areas has to be managed in order to provide mobile health care technologies across a spectrum of services, standards and federal policies.