The health care industry in September saw yet another HIPAA data breach settlement -- an out-of-court arrangement...
in which a health care provider paid more than $1.5 million for "potential violations" of the HIPAA Security Rule. In this case the defendant misplaced a laptop containing the unencrypted medical records of more than 3,600 patients, thereby triggering the requirement to report the incident. But reaching a settlement kept the matter from becoming a legal precedent on which future cases could be argued and won, potentially producing much larger payouts.
The recent incident follows a long line of health data breaches involving both public and private health care institutions. Alaska, Utah, South Carolina and Kansas health care agencies and departments have had the data of more than a million patients hacked, stolen or otherwise disclosed in 2012. The failure of private hospitals and health care providers to secure patient data adequately has produced nearly a million more disclosure victims this year.
That's as good a way as any to segue into the problem of the health care data deluge and the challenges it creates for IT planners seeking ways to store, manage and protect all of the bits. Health care data is one of the fastest growing parts of the data tsunami touted by IDC, Gartner and other industry analysts.
Defining the "big disk drive in the sky"
In a sense, the health care industry is a victim of its own technology innovation, with the ongoing improvements in medical imaging and genetic mapping leading the list of demands for storage capacity growth. Mix this with regulatory and legal requirements to store patient data for a protracted period of time -- over a decade by federal mandate for some data, and for many more decades under the laws of certain states -- and soon you have a data management nightmare scenario. The health care IT planner confronts more data than he or she has capacity (or money to buy adequate capacity) to store, manage or protect.
Health care data is one of the fastest growing parts of the data tsunami.
Among the solutions being pitched for storing patient data are public "storage clouds." Once the planner gets through the painful exercise of determining what the vendor means by "cloud," this option usually comprises one of two services. In some cases, cloud storage is simply capacity on demand -- a "big disk drive in the sky" that anyone with a credit card can purchase as needed. On the other hand, the idea of a "storage cloud" may actually describe a service beyond simple capacity. The provider may offer either data protection services for health care data, such as backup or secure data archiving services or both.
David Kleinman, manager of managed services support with Fujifilm Medical Systems USA Inc., in Stamford, Conn., notes that Fujifilm's medical data management services predate clouds, a term that Kleinman doesn't like to use; instead, he considers the services an outgrowth of a service bureau business that was set up to support users of the company's picture archiving and communication system (PACS) software.
Fujifilm Medical Systems has provided managed services for about seven years, including data protection and disaster recovery for medical imaging data, hosting for radiology applications, delivery of PACS software as a managed service, and data archiving. Originally, data-related services were easily defined, Kleinman says. Disaster recovery meant that the user copied data, with one copy stored at the health care provider's own facility and a "safety copy" maintained at the company's Denver, Colo., data center. Archive services, by contrast, meant local copies of data were purged from health care provider's storage, and the data itself was placed under management at Fujifilm Medical Systems.
Kleinman said legal and regulatory mandates from the HIPAA security and privacy rules have increased demands for Fujifilm services. Health care providers sometimes see the data management requirements of the mandates as beyond their technical ability, driving them instead to seek a qualified service provider to achieve compliance.
He notes that the past decade has seen a "hardening " of once "flexibly interpreted" data management requirements in HIPAA, and with the passage of the HITECH Act as part of the American Recovery and Reinvestment Act of 2009, a cottage industry of HIPAA data management service providers and clouds have come into the market. Kleinman said he worries that many newcomers lack any real expertise in medical records or health care data, and may be unqualified to provide compliant data protection or archive management services.
"Reputation plays a big role," Kleinman said, noting that his firm is growing its roster of customers at a robust clip. This growth led to a collaboration last year with sister company Fujifilm Recording Media to develop a more general-purpose data management service offering, based around tape technology.
Data management: A mix of external service providers, internal trust and strong reputation
In essence, Kleinman is describing a model for health care data management leveraging external service providers that may well be the standard by which such services are judged.
The company's service, called Permivault, leverages tape technology advances, many of which Fujifilm Recording Media has spearheaded, to provide a robust capacity augment and managed data protection and archive service model via the Internet and private networks. Permivault supplements Fujifilm Medical Systems' current operational approach.
More data breach and security news
Beth Israel Deaconess Medical Center shares insights from data breach
Lahey Clinic: How to create a data breach plan
Health IT Exchange expert: Top barriers to storage virtualization
"We currently offer storage of data only from our own medical software. We are experts on the data management requirements of medical records and images from both a DR [disaster recovery] and archive perspective," Kleinman said. "Our customers typically either host their software with us or send us their data using a storage array that we send them. They fill up the disk in the array and encrypt the data, then send the array to our data center. Once it is loaded, they can synchronize between their local data and ours across a wide area network connection. "
Kleinman says that Permivault adds new ways to load customer data and to store it. Permivault is tape-based and leverages a gateway appliance -- a server with value add software from partner Crossroads Systems -- to coordinate the creation of tapes containing existing customer data. The customer either uses the appliance, called a StrongBox, to create the encrypted tapes of existing data, which are then couriered to Permivault and loaded into a library, or, in the case of customers who haven't yet amassed considerable data, accesses a remote StrongBox at the Denver data center and transmits their data across a secure virtual private network connection to the library. As a third option, customers may prefer to keep a StrongBox appliance in operation locally (after initial load of data at the Permivault data center), where it serves as a Permivault on-ramp that automatically and continuously copies new data across an encrypted WAN link to customer's data repository at Permivault.
The Permivault solution leverages emerging technology around tape file systems, including IBM's Linear Tape File System (LTFS), to provide a data repository whose contents can be accessed in a manner similar to any network file store. As tapes are added to the tape library, their contents are scanned and recorded in a more user-friendly file system tree on the Crossroads Systems StrongBox.
When users need to review or retrieve a file, they simply connect via Secure Sockets Layer (SSL) or virtual private network (VPN) link to the Crossroads appliance and receive a directory display of the contents of their repository. After selecting the appropriate file or files that the user wishes to view or copy back to a local hard disk, the Crossroads StrongBox uses LTFS to retrieve the selected data and to display or copy it as requested. In effect, the solution merges a network-attached storage (NAS) or disk-based file server concept with inexpensive and highly resilient tape technology to achieve a mix of technologies that are affordable both to the service provider and to the customer.
Kleinman sees obvious advantages in blending the Permivault offering with his traditional disk-based DR and archiving practice. Both, he notes, take advantage of the existing Fujifilm Medical Systems service model, with its best practices developed over nearly a decade of work with health care institutions.
Conduct network analysis, strong contract negotiations before choosing storage provider
Kleinman emphasizes that both his service and Permivault's should be preceded by a network analysis to determine bandwidth requirements and to better estimate data travel times. The wide area network, he notes, is the source of the most common challenges in using a service bureau or cloud for data management or hosting.
Moreover, he suggests, customers need to look closely at the service levels for which they are contracting. Service-level agreements need to be specified in contracts, but also supplemented by meaningful steps for resolving service level misses. There should also be effective methods provided for monitoring SLA adherence, including reporting via an online portal, such as the one provided by Permivault. If the service is being used to provide data protection, generous provisions of time for testing and validation should be provided by contract. And, finally, the concept of shared security must be clearly understood.
Responsibility for the security of patient health care data remains with the health care provider under HIPAA and HITECH rules, Kleinman notes, but the service provider also picks up shared responsibility for security. Typically, the customer encrypts any data being sent to Fujifilm Medical Systems or Permivault, whether via tape or a VPN. Following the transfer, Fujifilm implements "extremely strict" safeguards to protect the information that has been entrusted to them, acknowledging the simple reality, Kleinman says that his firm has now become partly responsible for the protection and portability of the patient health care information.
Jon William Toigo is CEO and managing principal of Toigo Partners International, and operates the DrunkenData.com blog on storage and data management. Toigo also has chaired the Data Management Institute since 1992. Let us know what you think about the story; email firstname.lastname@example.org or contact @SearchHealthIT on Twitter.