乌鸦传媒

Skip to Content

The Patient Data Security Blindspot

乌鸦传媒
13 Sep 2022

For the sake of patients, doctors and healthcare institutions, we need to safely and responsibly unlock patient data.

In the wrong hands patient data can be a nightmare. Managed correctly, it鈥檚 a source of immense value. It鈥檚 time to advance a new patient data ecosystem that combines unwavering security with responsible access.

THE PROBLEM

An example scenario: what we鈥檙e missing

A middle-aged patient is rushed into the emergency department of his local hospital, noncommunicative and alone. His medical files reveal a broken wrist, some dermatology concerns, a bone marrow donation and grief counselling. Each entry a story; together they represent a life. But right now, the lead cardiologist doesn鈥檛 need a novel. He needs precise information about the man鈥檚 heart 鈥 fast 鈥 so that he can save his life.

In a perfect world, what data would hospitals like their surgery teams to see the moment they open a patient鈥檚 file?

Patient record number + emergency contact

  • Allergies
  • Current medications
  • Health issues [heart condition]

Status of heart condition

  • Most recent coronary event
    • Course of action
    • Past coronary events
      • Course of action
    • Doctors鈥 notes in descending order

A different set of information would be available to his attending nurses. Another would inform his physical therapist. And for the patient, a clear and readable version would help him understand his condition and course of treatment in the language he understands. If you could organize data in the proper usage context, doctors, patients and other healthcare workers would all be able to see at a glance the information most relevant to them, and would use it to inform their decisions.

Of course, patient data is not like any other data. Unrestricted sharing of patients’ intimate health information would be an unforgivable violation 鈥 emotionally and financially. And given the immense profit motive involved, the risk of disreputable players getting their hands on patient data is ever present. However, the solution up to now 鈥 locking patient data far, far away 鈥 is no longer viable. Without the ability to access and manage patient data, vital information from years past gets buried under newer files. Results are lost or forgotten, and tremendous opportunities in everything from AI to patient engagement are missed. In the age of connected health, security is not enough: patient data must also be accessible.

Current data security puts a burden on patients…

Health problems are among the most stressful events in our lives. Healthcare systems have an ethical duty not to add to that stress with overly complex, difficult systems. Not only does this put an emotional strain on patients, it鈥檚 often outright unmanageable. What for you and me may be a hassle, for an elderly patient is often impossible, which is one reason why . (The other main reason? .) The same goes for a patient who鈥檚 in shock, on strong pain medication 鈥 the list goes on. Health problems and byzantine systems don鈥檛 mix, and we should have no illusions of being patient-centric if patients are struggling to access and understand their own files.

Ironically, some of the solutions in use today are so behind the times that they add a different kind of burden. Fax machines are no longer ubiquitous. For a patient to send or receive data by fax often requires a special trip to a family member鈥檚 office or some other public place, creating both a hassle and a security risk. Security measures need to be moving forward to meet the needs of new forms of patient data, such as smart home devices and IoT equipment. Expecting patients to use son-in-law’s secretary鈥檚 fax machine is no longer an option.

…and costs doctors valuable time

Doctors face a different kind of pressure 鈥 time. Doctors鈥 time is precious. It takes over a decade to train one doctor, and much more than that to gain expertise. The idea that doctors should be spending any of their limited time searching through files and databases is mind-boggling. But they do. One study in the UK found an average of about . (Some of which is necessary. The report cites chart review (33%), documentation (24%), and ordering (17%). ) Assuming doctors do unearth the necessary data, they鈥檙e presented with a series of disconnected snapshots of their patients 鈥 separate files from various visits and tests from multiple institutions (not always complete), perhaps with many critical findings buried within. Sometimes data is missing altogether. One study found that over the past decade in the US alone. Modern data management technology needs to be more secure, while also providing intelligent access to patient records 鈥 turning data from a cost into a source of immense value.

THE SOLUTION

Caregiver showing diet tracker to the patient

How government can make patient data secure and accessible

The good news is: solutions already exist. Banks are already sharing data securely, because they need to. (You can鈥檛 perform a transfer if you don鈥檛 share at least some data.) This is the shift that healthcare must take: from a focus solely on data security, towards the science of compliance and enablement.

Individual institutions can鈥檛 do much on their own. The change needs to come from the governing bodies that set the security regulations for patient data. In many countries that may be a government body such as the EU, or it could be a private consortium comprising a group of hospitals and other patient care institutions.

Around the world approaches differ. A common choice is the centralized system, where one organ (the government) controls all data and regulations. Germany is currently in the process of rolling out a federated identity management approach to access data 鈥 putting the identification process in the hands of intermediaries (hospitals, insurance companies), while giving patients ultimate control of their data. However, it has proven unpopular among patients and doctors. In The Netherlands, ambitious legislation is in the works that would put complete data sovereignty in patients鈥 hands. Three solutions need to be in place to improve patient data security and make it accessible:

Shared APIs

APIs aren鈥檛 the only solution to sharing large volumes of patient data (the above-mentioned German system prohibits the use of APIs for all but anonymized data), but they are one of the best. Around the world, has arisen as the gold standard for storing and structuring patient data. APIs can then be used to access this structured data using certain operations (defined as 鈥渋nteractions鈥 by FHIR), thus enabling data to flow within or between institutions. The operating system doesn鈥檛 matter, only the recipient. Which leads to the central question: how do you decide which data can be shared, and with whom?

Centralized authorization

The solution is a comprehensive set of rules governing who has access to what. It is neither short, nor simple, but it is achievable. (If banks can do it, so can healthcare institutions.) This authorization engine consists of a set of rules, spliced with special allowances for unique situations and specific people. (For example, HIV status will be classified as among the most private, least sharable data. However, an allowance must be made for doctors certifying blood donations.) Note that authorization (deciding who has authority to do what) is a different process entirely from authentication (verifying an individual鈥檚 identity), to which we turn next.

Frictionless authentication

Patients are not going to carry around passwords in their memories. (If they could, the passwords would be too weak.) Biometric identification such as retinal scans, fingerprints and facial recognition are likewise unreliable during many health emergencies. There are, however, some intriguing solutions out there. Many are based on smartphone apps, including 鈥 an alliance that lets users confirm their identity with common devices, including smartphones.

In Norway, many people carry a 鈥 an ingenious little device that plugs into a computer鈥檚 USB portal and provides strong two-factor identification. Norwegians use their Youbikeys to speed up payment, for banking, and for other activities that require identification. With frictionless authentication, patients and healthcare workers can instantly be provided with exactly the data which is appropriate for them, when and where they need it. The importance of creating a user-friendly interface cannot be overstated. Governments have poured immense resources into their patient data systems, only to watch them flounder due to weak user experience. People today expect the intuitive design of Amazon or iTunes, and they make their judgement .

The future of connected health

The ability to access and organize patients鈥 data is the first step for advances in multiple directions. It provides the framework around which predictive and personalized medicine can evolve. It is the foundation for a new generation of connected health. Patterns and connections are waiting to be discovered: in an individual patient鈥檚 files, and in the combined data of multiple patients. Artificial intelligence excels at exactly the kind of pattern recognition that could be helping patients find solutions to their ailments, but first it needs access to that data.

Solutions already exist with the power to keep patient data secure and accessible when needed. Ensuring excellent user experience is already a requisite for commercial products. Healthcare systems don鈥檛 need to start from scratch; the tools are already here. 乌鸦传媒 has decades of experience working with complex data systems, data consortiums and digital transformation. We鈥檝e provided change management for partners around the world and helped transform customer engagement. We’re looking at the challenges that healthcare is facing up close, and we see an immense opportunity to apply recent advances in data science and user experience to healthcare. When that happens it will be a true leap forward in patient care.

What could your institution do with intelligent access to patient data? Contact us below to discuss your institution鈥檚 data needs, and keep up with the latest on data security, sustainability and more. Find out more about our services in health and social care.

Our Expert

Anne Stahl

Managing UX Strategy Consultant, GER