Forget Reading Regulatory Tea Leaves and Take Control of Data Security

It’s a challenging time for healthcare IT executives. Companies need to maintain HIPAA compliance as proposed government rule changes are still being solidified. Interoperability is required, so that authorized providers with patient consent can access sensitive data quickly and gain insights to make the best possible decisions about patient care.

And then there’s the ever-present threat of data breaches like the massive ransomware attack on Change Healthcare. That incident exposed the private data of 190 million people and severely disrupted provider revenue cycles. The pressing need to avoid data breaches adds another layer of complexity, reminding us all that data security can never be an afterthought.

It gets more complicated due to the unique nature of healthcare, which must be available even during power outages and in the middle of natural disasters. That underscores the importance of data backup since continued access to sensitive medical information is crucial in both the physical and digital senses.

It’s a balancing act, but there is an approach that gives healthcare and health tech organizations a way to exceed regulatory standards while enabling interoperability and local data control. It starts with a data foundation that is HIPAA compliant, secure and enables interoperability and processing at the edge to maximize control.

When It Comes to Compliance and Security, Don’t Just Check the Boxes

Federal regulations around HIPAA are in flux due to the growing number of cybersecurity threats. For example, in January, HHS posted a proposed rulemaking notice to modernize security practices. No one is sure exactly what will come next, which is why healthcare IT professionals should view HIPAA compliance as a baseline and aim much higher.

That’s a critical point because if you review a list of data breach victims in the healthcare space, you’ll see organizations of all sizes, including billion-dollar corporations with advanced security certifications. But sometimes checking all the right boxes can create a false sense of security. All organizations need to stay a step ahead because threat vectors never rest.

All too often, companies relying on certifications are unaware of their exposure when transmitting information and working with vendors. Taking back control is the key can be done with a data foundation that goes beyond basic HIPAA compliance to include security, backup and local control over data access.

Operations at the Edge Provide Transparency and Control

That’s how it works at SOPHiA GENETICS, an AI platform that analyzes genomic profiles to give clinicians insights into genetic makeup to guide medical decisions. Since they analyze human genomes, the data the AI platform works with couldn’t be more personal, and it is voluminous since one person’s genomic sequence can take up to 20 gigabytes.

The standard approach for a provider conducting analysis would be for the healthcare organization to transfer data to a cloud where it could be accessed and moved into another cloud (or series of clouds) for AI analysis. This requires a robust infrastructure at every point and reduces the ability to control the information.

Instead, SOPHiA GENETICS works with a digital health partner that facilitates data extraction and interoperability enablement on the end customers’ cloud, e.g., the hospital’s system, moving the data to the AI platform for proprietary analysis. By operating at the edge, this approach reduces latency and increases control, which improves efficiency during the collaboration.

From a healthcare IT perspective, the most compelling aspect of this setup is that it allows the hospital or healthcare provider to retain full control and visibility over their own data. The hospital’s CISO can be confident that only the specific data needed for clinical insights—shared with SOPHiA GENETICS—is transmitted, and that all activity complies with HIPAA and other relevant regulations.

The Business Case for Taking Control of Security

There’s much uncertainty in the regulatory environment right now, but two long-term trends are accelerating. One is the drive for interoperability because so much innovation in medicine depends on the ability to freely exchange data with patient consent and authorization. The other trend is an increase in data breaches, and malicious application of AI is increasing the threat.

It’s time for healthcare IT professionals to quit trying to read the regulatory tea leaves and take control of their data instead. Checking the box on HIPAA compliance is important, as are security certifications, but with higher-volume data exchanges, maintaining control over an organization’s information is job one.

So, start with a data foundation that is not only HIPAA compliant but also secure, backed up and supportive of interoperability so organizations can maximize collaboration across the care continuum. Look for ways to manage data processing at the edge to keep your organization’s data under control. If healthcare systems and providers aim high on security, the regulatory compliance will take care of itself.