The Healthcare Information Governance Imperative
It could very well be that bad information is killing Americans at record rates.
Medical mistakes kill over 250,000 people each year in the U.S.
It is the third leading cause of death overall, behind heart disease and cancer, according to a study by doctors at Johns Hopkins. 1 These numbers are certainly low, since they do not include deaths at nursing homes, surgery centers, and in-home care settings.
The United States has the most expensive healthcare in the world: the most advanced equipment, the most advanced medicines, the best-trained doctors—yet in a recent study of healthcare quality the U.S. came in dead last out of 11 civilized nations. 2 The U.K., Switzerland, and Sweden topped the list. Most Americans would be shocked to learn this.
The U.S. healthcare problem is not due to poor training, faulty equipment, inferior medicines, or lack of financial resources. No, the problem is likely primarily a failure to get the right information to the right people at the right time; that is, caregivers must have accurate, current clinical information to do their jobs properly.
This is an information governance (IG) issue that has life or death consequences. It can be fixed, but healthcare professionals must gain the necessary education and tools, collaborate with experts and each other, and gain executive management support for IG programs.
Across the pond, the issues facing the United Kingdom’s government-funded National Health Service (NHS) are somewhat different, where IG has been an area of focus to ensure data quality and protect patient data for more than fifteen years. Although IG was mentioned in journals and scholarly articles decades ago, the U.K. is perhaps the home of healthcare IG, and arguably the IG discipline. 3 Could this be the reason the U.K. leads the world in healthcare quality? Certainly, it must be a major contributing factor.
Since 2002, each U.K. healthcare organization has been tasked with completing the IG Toolkit, managed by NHS Digital for the U.K. Department of Health. Although the IG Toolkit has evolved over the years, its core has remained constant. However, in April 2018 it was replaced with a new tool, the Data Security and Protection Toolkit, based around 10 National Data Security Standards that have been formulated by the U.K.’s National Data Guardian. 4
At the same time the U.K. and the whole of the European Union is replacing its Data Protection legislation. In the U.K., the Data Protection Act 1998, itself based on a 1995 EU Data Protection Directive, is being replaced with the directly applicable (Brexit notwithstanding) EU General Data Protection Regulation (GDPR) and (at this writing) pending Domestic Data Protection Act 2018.
If U.K. healthcare IG professionals weren’t busy enough keeping up with those major regulatory changes, the Care Quality Commission (U.K. regulator) has recently been given increased powers to inspect around IG issues, as a result of the global WannaCry ransomware attack in May 2017. So there is a massive push for healthcare organizations to implement a government-sponsored Cyber Essentials information security certification scheme.
These challenges for IG practitioners must be met within the construct of real-world needs, that is, to share ePHI more safely as the healthcare system attempts to create system-wide Sustainability and Transformation Plans/Accountable Care Organisations. As has been the case globally, securely sharing ePHI has been problematic so IG facets like privacy, data governance, and cyber-security have a prominent focus. Previous attempts in the last two decades to create a national U.K. network to share health information failed. 5
U.S. Healthcare Organizations Ramping up IG Programs
According to a recent study, healthcare organizations in the U.S. are increasingly embarking on IG program implementations. 6 Although still in the early stages of adoption, organizations are beginning to understand that IG programs and a focus on clinical data quality is an important strategy for succeeding in today’s competitive and increasingly digital healthcare business environment.
IG strategies also address the onslaught of data due to the Big Data trend, that is, a vast increase in the volume, variety, and velocity of data that is being created. Healthcare professionals clearly realize there are opportunities in applying advanced analytics to the mountains of data they are accumulating.
IG programs also address related information management and governance challenges such as the patient privacy, information security, regulatory compliance, information lifecycle management (ILM), and governing newer technologies like the Internet of Things (IoT).
Legal, regulatory, and information security demands are often key drivers for establishing IG programs in all industries, but in healthcare, information quality and control is paramount to improved patient care and outcomes.
Unforeseen Consequences in the Rush to Automate
The American Recovery and Reinvestment Act required that “all public and private healthcare providers and other eligible professionals (EP)” implement electronic health record (EHR) systems, and show meaningful use by January 1, 2014. 7 Meaningful use has a somewhat subjective definition, as stated by HealthIT.gov and other organizations. It means that EHR systems improve care coordination, quality, safety, efficiency, and “engage patients fully” while keeping their health information safe and private. 8 Industry estimates often peg meaningful use as utilizing about 40% of overall EHR system capabilities.
EHR automation was mandated by the federal government, and healthcare organizations were threatened with a decrease in Medicaid and Medicare reimbursement levels if they did not implement by the deadline. The result of the mandate to automate, and the mad rush to install EHR systems and to prove meaningful use resulted in many sloppy, haphazard implementations. What is mostly missing are redesigned business processes with a built-in focus on not only data quality and governance but also information privacy and security. Further, the ability to share information between disparate EHR systems to provide continuity of care is generally lacking. 9
A focus on data quality, from the ground up, means that clinical assumptions and insights are more accurate, and subsequent downstream reports and analyses are more accurate and trusted. Unfortunately, the consequences in the healthcare environment are much more dire compared to other industries: Bad information means people could die.
The consequences of this general carelessness with information in the healthcare industry have resulted in colossal IG failures that almost daily expose major organizations to reputational and financial risk. For instance, in 2018, LifeBridge Health revealed that the electronic health records (EHR) of over 500,000 patients had been compromised, for over a year. 10 In 2017, major breaches included the Molina Healthcare breach, which may have compromised 4.8 million patient records, and at Mid-Michigan Physicians Imaging Center potentially over 100,000 patients’ ePHI was breached. The Center delayed reporting the breach while they investigated, and ended up paying a $475,000 fine levied by the Health and Human Services’ Office of Civil Rights (OCR). The 21st Century Oncology breach in 2015 exposed 2,213,597 patients’ records. 11 21st Century Oncology was fined $2.3 million by the OCR. And in 2015, major breaches included Premera BlueCross, Excellus BlueCross BlueShield, 12 and Anthem Health, where rogue hackers penetrated the organization and stole possibly over 37.5 million records. 13 These organizations obviously did not know where all their protected health information (PHI), personally identifiable information (PII), and confidential electronic documents were located and took inadequate measures to secure that valuable information.
They—and most healthcare organizations—are not managing information as an asset, are not assessing its risks, and do not have a current inventory or accounting of their information assets, particularly sensitive or confidential information. That is, there is no data map showing where different types of information are stored, and most organizations would have difficulty finding all incidences of it so that confidential and sensitive information may be secured.
Most organizations are not paying attention: they leave ePHI and sensitive information (such as race, religion, and ethnicity) out there floating around on their servers unsecured, unencrypted. When it comes time to attend to the problem, most often they “kick the can down the road” and do nothing, since it costs time and money to address the issue. Executives perhaps have their eye on year-end bonuses, not lingering risks. But eventually risks can come home to roost, with horrendous consequences.
The impact only becomes clear after a major event like a data breach or ransomware attack. These types of IG failures can severely damage an organization’s reputation—especially healthcare institutions where people’s health and lives are at stake—and can result in injury, death, and financial loss. Also, thousands of patients can be dragged into a lifelong battle to control their personal information and ePHI.
Ransomware is a major problem. When rogue hackers use ransomware techniques, they take control of an organization’s information and will not release it until a ransom is paid.
When surveyed, nearly 70% of U.S. consumers said they would consider leaving their healthcare provider if it suffered a ransomware attack. 14
Consumers have higher expectations of healthcare providers to keep their data safe, versus other industries, like retailers. Consumers hold healthcare organizations responsible for the security and privacy of their information, not information security software providers or even the government.
There are some basic truths about information security, and one of them is: perimeter security of most networks is easily breached. So sensitive and confidential information must be identified, secured, tracked, and controlled. That means locking down ePHI and ePII with encryption or related technologies.
And when the organization has finished utilizing personal information, it must be discarded according to most state privacy laws, yet medical records must be maintained to facilitate continuity and lifelong care (most U.S. states recommend seven years retention beyond the last care episode, whereas the California Hospital Association recommends 10 years). 15 These conflicting demands make information lifecycle management more complicated for healthcare organizations.
These complex and sometimes competing demands on information assets mean an IG program must be in place with the formal policies and procedures necessary to govern them. IG programs also help organizations meet compliance and legal demands while improving quality clinical and financial information provided to caregivers and managers for decision-making. Its win-win-win all around, but it is also a major undertaking that requires an executive management commitment to a long-term, “evergreen” IG program.
Here are three examples of IG failures, which were very public. These instances bring IG weaknesses fully into view, and demonstrate the critical need for IG programs in healthcare organizations.
Case Brief #1: Associates in Psychiatry and Psychology Ransomware Attack: A Model Response?
Ransomware attacks are among the most serious and prevalent threats for data, especially in the healthcare sector. Ransomware is best understood as a type of malicious software that intends to either publish or block access to information until a “ransom” is paid. While ransomware attacks have increased in complexity, and the ability to reverse them along with it, encrypting files and making them inaccessible until the ransom payment provides real problems for organizations that store massive amounts of personal data.
One of the latest attacks, on the Rochester (Minnesota)–based Associates in Psychiatry and Psychology (APP), 16 was revealed on March 31, 2018. The ransomware attack affected patient information for 6,546 individuals; it appeared that the information was not in a “human-readable” format and that the protected health information wasn’t accessed or copied by the attackers.Ransomware attacks like this speak to the need for information governance and privacy protection programs.
APP had a prompt response to the attack, taking their systems offline. Doing so in a timely manner likely stopped the spread of the attack and limited possible encryption of personal data and data theft, completing the “ransom” aspect of the ransomware attack.
APP, in a Q&A regarding the incident, reported that it was a “Triple-M” ransomware attack. This variation uses the RSA-2048 encryption protocol, which utilizes long keys in order to encrypt the data. A ransom was paid, as the backups with the restore files could not be accessed based on the attack. The initial ransom demand of 4 Bitcoin ($30,000) was not paid and instead negotiated down to .5 BTC ($3,800). With the systems and data now restored, APP has installed additional layers of security as well as new remote access policies.
Ransomware attacks are not unique, even within the healthcare sector. What is fascinating about this attack is the amount of information shared with affected patients and the openness with which APP talked about the breach. Most breaches go unnoticed in the public eye because very little information is shared with the general public, even those directly affected, especially if the data wasn’t accessed or copied. APP’s transparency provides affected parties the ability to understand how the breach affects them and what they can do to protect themselves.
Other organizations should stand up and take note: APP’s response should become the standard.
Case Brief #2: An Information Governance Failure: Anthem, Inc.
In 2016, a year after the largest healthcare data breach to date, where as many as 40 million confidential records of members and employees at Anthem, Inc., were hacked, little had been learned about the nature, motivations, implications, and real costs of the breach. 17 According to Anthem the data breach affected several of its brands, including Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, and UniCare.
Anthem, the nation’s second largest health insurer, had insurance themselves—cyber-insurance. Perhaps that was why executives felt assured prior to the attack. Most of the initial costs were likely absorbed by a $100 million AIG cyber-insurance policy. But there have been many class action lawsuits filed, and “unresolved legal issues likely have stifled further disclosure of what is known.” 18
By law, Anthem was not required to encrypt the PII, although this is a standard industry best practice. Certainly, victims sued Anthem just on the basis that they did not take proper care of their PII while in their custody.
The PII compromised included, names, addresses, birthdates, social security numbers, medical IDs, e-mail addresses and salary and employment information. 19 Anthem provided two years of credit monitoring for those who were affected. This was a mild measure, as hackers usually wait years to sell compromised data.
Certainly, Anthem’s reputation was damaged, and the massive breach led to acquisition target Cigna questioning Anthem’s information governance posture, data privacy, and security measures, and the resultant legal impact. In a letter, Cigna’s CEO and former Board Chairman wrote, “Trust with customers and providers is critical in our industry, and Anthem has yet to demonstrate a path toward restoring this trust. We need to understand the litigation and potential liabilities, operational impact and long-term damage to Anthem’s franchise as a result of this unprecedented data breach, as well as the governance and controls that resulted in this system failure.” 20
But a year after the event—since the lawsuits had not been settled—there had been no significant impact on Anthem’s profits. Anthem executives essentially buried the breach event, as they did not address it and its impact on their quarterly earnings calls in the year after the breach.
So far, according to the FBI, there has been no evidence that the compromised records have been sold—although a common tactic of hackers is to wait until the breach has been forgotten before they attempt to sell the data.
Anthem has taken steps to shore up its information security practices, hiring cyber-security firm Mandiant just after the attack. Also the National Association of Insurance Commissioners (NAIC) commissioned a “market conduct and financial exam” of the breach, but the report is classified.
Case Brief #3: 21st Century Oncology
In late 2015, hackers compromised the records of approximately 2.2 million current and former patients of 21st Century Oncology, the largest radiation oncology provider in the U.S., which operates nearly 200 cancer treatment centers in the U.S. and Latin America. 21 In 2017, 21st Century Oncology declared bankruptcy and paid a $2.3 million fine to the U.S. Department of Health and Human Services. 22
Patients were notified that their PII and PHI had been compromised, including names, social security numbers, physician names, diagnoses, treatment course, and insurance information.
Health information is the most valuable to hackers, more valuable than credit card information, which can be changed and nullified quickly and has liability limits. Stolen health credentials do not have an expiration date, and can fetch up to 50 times the value of credit card identity information. Forged or fake healthcare insurance credentials can allow rogue patients to undergo surgeries and expensive treatments and bill them to the identity theft victim’s insurance, possibly leaving them with a large co-pay bill. Expensive procedures like hip replacements and even heart surgery have been performed on patients using stolen medical credentials.
Between 15 and 20 separate class action lawsuits were filed against 21st Century Oncology as a result of the breach. A U.S. magistrate judge recommended the consolidation of the cases into a single class-action claim. Victims of the breach have reported various incidents where they have already been impacted, such as unauthorized closing of bank accounts, and harassing and fraudulent phone calls, including some where criminals pose as IRS agents attempting to collect taxes that were not owed.
Other victims are legally pursuing the handling of the breach incident response, since 21st Century Oncology waited more than three months after the FBI notified them to notify those affected. Company officials cited the criminal investigation as the reason for the delay.
21st Century Oncology did provide one year of identity fraud protection to those whose records were compromised. One of the victims was not able to sign up, as someone had already used her credentials to do so!
A large number of victims notified about the breach had no knowledge they might be affected, since the healthcare facility they used operated under another brand name.
The 21st Century Oncology data breach demonstrates that most organizations are ill-prepared to prevent or respond to a major data breach. They have not done regular cyber-security vulnerability assessments or live penetration tests to find where their weaknesses are, before rogue players do. They have not invested enough in privacy measures and breach response protocols. IG programs address these key issues on a consistent, methodical basis and reduce the likelihood that the major breaches will occur, and if they do, lessen their impact.
Information Assurance: Trusted and Accurate Information
With accurate and trusted information, healthcare professionals can do the job they were trained to do, and drastically reduce medical mistakes. This is an IG effort with the highest purpose: one that will save lives.
On top of this noble pursuit to save lives by improving information and its delivery are the layers upon layers of regulatory compliance requirements, and increased litigation demands, all of which add cost to healthcare operations. These forces are adding increased cost pressures to U.S. healthcare organizations, which are already under pressure to cut costs and perform financially.
On the positive, side, IG efforts in healthcare have the opportunity to greatly improve clinical insights by leveraging advanced analytics. This has the potential to improve healing, recovery rates, and patient satisfaction. Further, financial and service innovations can arise from new insights gained by leveraging business analytics and other tools.
Healthcare, particularly in the U.S., is at a crisis point, having invested so much in automation, training, and advanced equipment and medicines—yet yielding such troubling results in healthcare quality and outcomes. The move to value-based care approaches will help address this issue, along with increased IG adoption.
Strong, ongoing IG programs can help harness the power of all the investments in clinical and financial systems that have been made, and improve results for patients and other healthcare stakeholders.
Chapter Summary: Key Points
■ Poor Information Governance (IG) and data quality practices may largely be the cause of over 250,000 people dying of medical mistakes each year in the U.S.
■ The practice of IG in healthcare began in the U.K. in 2002.
■ Major regulatory changes in the U.K. and Europe are forcing IG programs into greater prominence and maturity.
■ Medical mistakes are the third leading cause of death in the U.S.
■ The U.S. has the most expensive healthcare in the world, yet it is rated poorly in healthcare quality when compared to other civilized nations.
■ With accurate and trusted information, healthcare professionals can do the job they were trained to do, and drastically reduce medical mistakes.
■ The U.S. government mandate to automate and install electronic health record (EHR) systems over the past several years has resulted in a lot of sloppy, haphazard implementations.
■ Healthcare organizations are starting to implement IG programs in the U.S. and are beginning to understand that IG is an important strategy to meet pressing information demands.
■ Business processes must be redesigned with a built-in focus on information privacy and security and also data governance and quality. These are IG program efforts.
■ IG addresses issues such as data quality and integrity, lifecycle information management, patient privacy, and compliance. Legal, regulatory, and information security concerns also are drivers for establishing an IG program.
1. Jen Christensen and Elizabeth Cohen, “Medical Errors May Be Third Leading Cause of Death in the U.S.,” CNN.com, May 4, 2016, http://edition.cnn.com/2016/05/03/health/medical-error-a-leading-cause-of-death.
2. Dan Munro, “U.S. Healthcare Ranked Dead Last Compared to 10 Other Countries,” Forbes, June 16, 2014, http://www.forbes.com/sites/danmunro/2014/06/16/u-s-healthcare-ranked-dead-last-compared-to-10-other-countries/#7aa717021b96.
3. Andrew Harvey and Barry Moult, e-mail to author February 25, 2018.
4. Ibid.
5. Ibid.
6. “Information Governance in Healthcare: A Call to Adopt Information Governance Practices,” AHIMA and Cohassett Associates, 2014, p. 12, http://research.zarca.com/Survey.aspx?k=SsURPPsUSVsPsPsP&Lang=0&Status=&Data=&Dir=NXT&Uid=802346543&rnd2=1&rnd=7771.698151106978.
7. “Federal Mandates for Healthcare: Digital Record-Keeping Requirements for Public and Private Healthcare Providers,” USF Health Online, https://www.usfhealthonline.com/resources/healthcare/electronic-medical-records-mandate.
8. Ibid.
9. Vicki Skidmore, RHIS, IGP, e-mail to author March 1, 2018.
10. Beth Jones Sanborn, “LifeBridge Health Reveals Breach That Compromised Health Data of 500,000 Patients,” Healthcare IT News, May 23, 2018, https://www.healthcareitnews.com/news/lifebridge-health-reveals-breach-compromised-health-data-500000-patients.
11. “Major 2016 Healthcare Data Breaches: Mid Year Summary,” HIPAA Journal, July 11, 2016, http://www.hipaajournal.com/major-2016-healthcare-data-breaches-mid-year-summary-3499.
12. Jessica Davis, “7 Largest Data Breaches of 2015,” Healthcare IT News, December 11, 2015, http://www.healthcareitnews.com/news/7-largest-data-breaches-2015.
13. Cameron F. Kerry, “Lessons from the New Threat Environment from Sony, Anthem and ISIS,” Brookings Institution, March 26, 2015, http://www.brookings.edu/blogs/techtank/posts/2015/03/26-anthem-sony-isis-hack-cybersecurity.
14. Rebecca Wynn, CISSP, CRISC, CASP, CCISO, LinkedIn post, May 31, 2017.
15. Vicki Skidmore, RHIS, IGP, e-mail to author March 1, 2018.
16. Jessica Davis, “Minnesota Ransomware Attack Shows the Right Way to Handle Breach Response,” Healthcare IT News, May 25, 2018, https://www.healthcareitnews.com/news/minnesota-ransomware-attack-shows-right-way-handle-breach-response.
17. Bob Herman, “Details of Anthem’s Massive Cyberattack Remain in the Dark a Year later,” Modern Healthcare, March 30, 2016, http://www.modernhealthcare.com/article/20160330/NEWS/160339997.
18. Ibid.
19. “Anthem Medical Data Breach,” Wikipedia.org, last modified November 20, 2017, https://en.wikipedia.org/wiki/Anthem_medical_data_breach.
20. Herman, “Details of Anthem’s Massive Cyberattack.”
21. Frank Gluck, “21st Century Oncology Data Breach Prompts Multiple Lawsuits,” News-Press, July 22, 2016, http://www.news-press.com/story/news/2016/07/22/21st-century-oncology-data-breach-prompts-multiple-lawsuits/87386068.
22. Jessica Davis, “21st Century Oncology to Pay OCR $2.3 Million for 2015 Breach,” Healthcare IT News, December 13, 2017, http://www.healthcareitnews.com/news/21st-century-oncology-pay-ocr-23-million-2015-breach.