When people upload their genetic information to a genealogy site, they often hope it will lead them to a relative who’s famous. They probably don’t expect that relative to be infamous – or the leading suspect in a 40-year-old “cold case” involving mass murder.
Yet that’s just what happened earlier this year, when police in California turned to publicly available DNA data in a long-shot effort to solve the “Golden State Killer” murders. Detectives plugged in DNA profiles from crime scenes in the case and got back several partial matches of likely relatives. Those became starting points for a “family tree” of the killer, eventually leading to a man police observed until they could obtain a known DNA sample, which they said match the profile from the crime scene.
While the police and the families of the victims celebrated, the news also led many consumers to become aware of just how easily the health data they produced for one purpose could be used for another – and without their knowledge.
That underscores the ever-growing problem of data security for personal medical information.
The patient information in modern medical databases holds enormous potential in diagnostic and treatment decision support in healthcare institutions. It is crucial to developing innovations in risk assessment, outcomes improvement, and clinical efficiencies.
The information is also highly sensitive because it reveals so much about an individual. As the volume and sophistication of the data grows, the industry faces heightened scrutiny from consumers and increased regulation to protect privacy.
That, in turn, has created an enormous need for the industry to address the complex security challenges of this data, protecting patients without losing the value that the information offers them, and the healthcare system, itself. Healthcare institutions and their partners need to make smart planning and technology decisions to stay ahead of the problem.
This is an area where technology companies can partner with the healthcare industry to combine security and innovation to drive forward these initiatives while minimizing risk.
While the cloud offers the greatest potential for security and sharing, the industry is moving there cautiously, given the high stakes. Many hospitals and other providers are seeking interim solutions that provide an array of security, identity, and access management tools that work with their on-premise IT today, as well as in an eventual transition to the cloud.
Often, these institutions will first attempt to create their own security and identity system using their in-house developers. Others will try to address the problem by adding a series of single-point security tools from a wide variety of vendors to each subsystem or individual database.
There are some fundamental problems with this approach, and they often cause institutions to abandon the attempt. For one thing, building your own security and identity system across all of a healthcare institution’s functions is a difficult undertaking, one that requires expertise that many institutions lack. That complexity, and therefore the time required to complete the job, make it an expensive undertaking as well. At the same time, building a system in piecemeal fashion is likely to create inefficiencies, because it requires duplicating functions, like auditing, at each subsystem or data base.
Most importantly, “build your own” is an approach that actually can increase security risks. For example, imagine a hospital that wants to ensure it is maximizing value-based care. That means its analysts are routinely federating data from a number of different systems, checking patient records for proper identity and potential duplication, pulling provider notes, and cross-referencing with cost data. Every one of those data requests presents potential for a security problem, and a weakness in any subsystem could expose a significant amount of patient information.
Oracle takes a different approach by putting all the various data sets into a single, aggregated, data warehouse that has healthcare specific security, authentication, and auditing tools embedded. Now that same analysis is not only more efficient, but also, more secure.
For example, sophisticated access control protocols can ensure that this sensitive health data is available only to certain users under specific circumstances. This can be combined with data masking that can obscure portions of the information that the user isn’t authorized to see, as well as encryption that protects the information in the case of a breach by hackers. It also reduces the auditing burden. – It’s much easier to monitor access to a single environment than to several.
Finally, this approach positions institutions for an eventual transition to the cloud. Both the data and the analysis tools used on-premise can be relocated and used from the cloud, along with increased levels of security made possible by the enormous resources involved in cloud management. Instead of institutions having to create and manage their own data security and privacy technology, they can turn the task over to experts who are managing those issues across the industry and in alignment with changing global regulation.
Whether the concern is EHRs, genetic profiles, or any other health-related information, security and privacy concerns will only keep getting more serious. Making the right technology choices now will help institutions avoid serious issues today and into the future, while taking advantage of the power of technology and data to do better for patients and the bottom line.