The HITECH Act introduces the first federally mandated data breach-notification requirement, which requires physicians who use an electronic health record to have the ability to track each time patient information is disclosed. While the law will not kick in until 2014, records will need to be available to respond to requests for three years prior to Jan. 1, 2011.
Providers are required to post information about security breaches if a breach affects 10 or more patients. If a security breach affects 500 or more patients, organizations must notify all of their patients, a local media outlet, and the secretary of Health and Human Services.
Most healthcare organizations capture system log files that track who has accessed specific health records. This can present problems, as the time-stamped log and event data files can rapidly accumulate over time. Many organizations collect terabytes of this data in a single day. Multiply that by three years of records and the technical and economic challenges of storing terabytes of information become clear.
Traditional security and log-management approaches are not always suited to store and manage the surging data volumes required by HIPAA and the HITECH Act. Many log-management products are offered and deployed as appliances. These appliances might eliminate the need to install software, yet they may also have limited storage capacity and could add complexity to analyzing and generating reports from the hundreds of terabytes - and even petabytes - of data.
One approach is to deploy traditional data warehouses to manage and analyze log files and event data. In fact, the market potential for HIPAA compliance has motivated a number of data warehouse vendors to offer products specifically for healthcare compliance. Time-stamped event and log data files, however, present tremendous challenges for traditional data warehouses using relational databases.
Software-based log-management and database solutions optimized for event data can provide better performance and a greater degree of deployment flexibility. One example is databases using columnar architecture, which stores its content by column rather than by row. This has advantages where aggregates are computed over large numbers of similar data items. Columnar databases also allow queries to be run in a single column, limiting the search to relevant data rather than the entire database. As a result, queries can be completed much faster than with relational architectures.
Software solutions can also be integrated with high-volume, long-term storage products, with the ability to add capacity as event data volumes increase. To keep deployment and maintenance costs to a minimum, the software should work on commodity hardware running Linux, and provide an easy way to add hardware for scalability. The system should also be able to work on virtual machines or in cloud-based computing environments, as many organizations are shifting resources to these approaches to reduce computing and processing costs.
Aside from storage and analysis concerns, healthcare executives and IT pros increasingly need to be able to use other analytics applications to access, query and analyze event data. Therefore, any event-data or log-management system should be able to work with third-party analytics applications.
From a high-level perspective, the operational, security and compliance challenges facing the healthcare industry today are part of growing pains as organizations shift from manual, paper-based practices to a national electronic system to achieve the promise of safer, cost-effective healthcare. By ensuring all elements of the system work together seamlessly - including the applications that manage governance, risk and compliance - healthcare organizations can spend more time focusing on the needs of patients, and less time on operational and security issues.
About the author
Joe Gottlieb is vice president of marketing and business development at SenSage. For more information on SenSage solutions, click here.