July 2016
Information Governance: A Bright Future in the Cloud
By Selena Chavis
For The Record
Vol. 28 No. 7 P. 12
Health care organizations are increasingly looking "up" to manage Big Data.
Today's IT professionals would be hard-pressed to discuss forward-looking data governance strategies without considering the advantages of the cloud. No longer an emerging technology, cloud infrastructures have established their niche as a low-cost, high-powered, scalable option to advance information management strategies.
For this reason, many hospitals and health systems are leveraging this option to manage the ever-growing complexities of Big Data and information governance (IG). According to Stephanie Crabb, principal with Florida-based Immersive, IG's core principles are to manage information at an enterprise level to support a host of goals and requirements. As such, the IG principles of transparency, availability, and retention align well with use cases for the cloud in health care.
Crabb says the cloud is reshaping health care in several facets, including by providing the following:
• storage of the voluminous data sets that originate from many source systems within health networks;
• "on demand" access to and sharing of critical clinical and operational information; and
• improved business intelligence and analytics activities stemming from the cloud's ability to accommodate information volume and speed-to-use with higher computing power.
She also points to potential pitfalls. "It is the IG principles of protection, integrity, accountability, and compliance that introduce challenges as it relates to the cloud, but when we consider private cloud and other specific deployment models, some of these challenges can be addressed successfully," she says.
Sue Trombley, MLIS, FAI, IGP, managing director of thought leadership at Iron Mountain, says organizations deciding whether to move to the cloud must take into account IG issues such as retention and disposition capabilities, potential technical concerns related to input and access, and privacy, security, and legal considerations. "Information management professionals must work with others in their organization to consider these impacts and make an educated cloud-based solution decision," she says.
IG in the Cloud: Pros and Cons
The distributed nature of the cloud provides an advantageous framework for streamlining complicated IG processes by creating greater access to data, according to Dick Taylor, MD, executive vice president and chief medical officer with Texas-based MedSys Group. "Distributed technology allows you to be more flexible and set up standards that apply more broadly across an organization, so you have economies of scale and economies of access," he notes, explaining that the IG process can be distributed both in terms of distance and time to make governance synchronous and information accessible anywhere. "Part of the governance process is to understand the information you have and where it is."
Trombley points to specific benefits, including the following:
• Scalability: Organizations may scale up or down quickly to easily meet demand.
• It's a metered service: Organizations pay for only what they use. They also enjoy better data to manage service utilization and make accurate cost/benefit calculations.
• It's an operational expenditure: There are no upfront costs or capital expenditures required; all costs are purely operational.
• Space saving: If it's in the cloud, it's not taking up space onsite.
• Reduces development costs: Because the cloud service has already been established, development and implementation costs are greatly reduced.
• Minimizes the need for in-house expertise: Cloud-based services feature support staff available on an as-needed basis.
• Low-cost experimentation: Organizations can try new applications and services without worrying about wasting time and money should the experiment fail.
Taylor says the vast space available on the cloud is often viewed as advantageous, but health care organizations must exercise caution when taking advantage of the perk. "There are huge amounts of space in the cloud for which you pay and for which you have variable levels of risk. Part of information governance is governing your approach to that risk and cost," he explains. "The questions now are: 'What is it costing us, what is the value of keeping this information around, and how are we rationalizing this businesswise?'"
Taylor notes that many of the cloud's virtues also can be viewed as drawbacks. "You are limited to user interface paradigms that distribute more widely, and it is possibly more difficult to create very customized work away from the network," he says. "It can also be very difficult to create segmented discussions you intend to keep private. Privacy is more difficult to achieve. Regulatory compliance is more difficult to keep under control."
Crabb adds that like any other IT resource, the cloud's potential value and risks must be explored on a case-by-case basis. "An IG framework and program provide the rubric for this evaluation that can be applied consistently and repeatedly," she says. "When an organization has a documented IG program, it provides a vehicle from which an organization's information management standards and performance expectations can be socialized and established with a cloud vendor."
What About Security?
According to Crabb, security concerns have impeded more widespread adoption of cloud services in the health care sector. In fact, 71% of the IT and IT security professionals interviewed for the 2014 Ponemon Institute study, "The Challenges of Cloud Information Governance: A Global Data Security Study," reported that it is more complex to manage privacy and data protection regulations in a cloud environment than in on-premise networks.
Taylor says the cloud introduces two sets of security issues: identification and authentication. "On the internet, you have to prove who you are. You have to be reliably identified," he explains, adding that the cloud takes a local problem and expands it worldwide. "The bottom line is that security always wars with convenience in the cloud, and there has to be a compromise in there somewhere that allows you to say yes."
From a security standpoint, an information management infrastructure is required to delineate who can make certain decisions and how they are made. "How do we ensure we are enforcing the right activities? How do we make sure the right people can change those things and the wrong people can't?" Taylor asks. "In the cloud, it's easier to masquerade as someone else and easier to lose track of somebody's permissions because you don't see what they are doing."
According to Trombley, the security concerns that most often surface include the following:
• Liberally written contracts and services agreements that typically favor cloud vendors with respect to "information ownership." "Great attention needs to be given to ensure that the client owns the information. Period," Trombley says. "A cloud vendor that won't agree to this provision is probably not a vendor with whom you want to work."
• Uncertainty about who is accountable for safeguarding information stored in the cloud. What enforcement policies are in place? Do the client organization's policies guide the practice? Or is the client at the mercy of the cloud vendor's policies?
• The IT security team is not involved in all aspects of the decision-making process related to cloud services.
• Challenges with respect to access control and regulatory compliance introduced by the convenience of "availability." In essence, how employees and third parties access and handle electronic protected health information and other sensitive information in the cloud.
When it comes to security, Taylor believes an organization that follows industry best practices will be in an acceptable position to use the cloud, although he emphasizes that there are no foolproof methods. "One of the industry best practices is to be continually aware of threats and new and emerging concerns, and to have a proactive response to it," he points out, adding that health care organizations can never become complacent.
Trombley stresses the importance of choosing the right partner. "When you sign up for a service, you are not just trusting a provider with your data; you are trusting their IT department's capabilities to protect that data," she says. "Understand the security measures of a service provider and compare them to your internal practices. You must determine whether the security of a cloud-based solution is appropriate depending on the sensitivity of your data."
What to Keep … and What Not to Keep
One of IG's greatest challenges is determining the value of data and whether it makes sense to keep them. Because cloud storage is not free, Taylor recommends health care organizations weed out unnecessary data to streamline costs. "You have to have a very clear picture of what information is costing you from a storage perspective and a risk perspective," he says, adding that organizations must quantify how their data deliver a return on investment. "When you have an undifferentiated pool of data, you just have a big mess. It costs money, it costs time, and it creates risk."
Trombley says an organization's IG policies must specify which information to keep and for how long. Rules, regulations, and operational requirements, along with how to dispose of data when they are no longer required, must also be considered. "Most organizations have a culture that makes destruction of information difficult, but it is a best practice to dispose of information that is no longer required to reduce risk of exposure from breaches, the need to produce for litigation, and noise when conducting data analysis," she explains.
A productive IG program establishes an information ownership model that aligns the "locus of control" for all decisions about a particular subject with the principal business owners who create the information and use it the most, Crabb says. "The strategic and tactical decisions about information are best made when information creators and consumers have a framework, a process, and a forum," she says, noting that some information cleanup is straightforward while other efforts can take months. "An IG program brings discipline, consistency, and repeatable process to this challenge."
An Evolving Landscape
Widespread adoption is the next step in the evolution of IG in health care, say both Trombley and Crabb. "Valuing information as an asset is the first step," Crabb notes. "IG is not for the faint of heart. It requires investment at many levels, and organizations that initiate IG programs need to be prepared for that fact."
"The IG framework includes all elements of strategic information management, including leveraging it for value in its framework—an extremely important consideration as investment in data analytics is burgeoning to the tune of $41 billion spent by 2018 per [research and consulting firm] IDC," Trombley says.
For health care organizations that truly value information as an asset, IG makes perfect sense, Crabb says. "The same way we implement diligence and discipline around our people assets—our bricks and mortar, our clinical programs, and other initiatives—we should be doing the same for our information," she says. "The challenge is that we still have not found a method or formula by which to effectively valuate health care information."
That being said, Crabb acknowledges that most C-suite executives believe their organization's data are a strategic and tactical asset. "They are reluctant to share it for fear of what it might cost them in competitive advantage," she notes. "This fact alone should be a sufficient driver for organizations to begin exploring IG adoption."
Going forward, Taylor expects health care to continue to move in the direction of greater regulation, with two industry initiatives seemingly in conflict: the need for broader access to patient information along the care continuum and stronger privacy mandates. "We're getting to a position where if disclosure is not mandatory, it's forbidden," he explains, pointing specifically to the recent overhaul of rules put in place by the Medicare Access and CHIP Reauthorization Act of 2015. "It's an odd place to live. What we are seeing is a more rigid regulatory structure and one that changes quite frequently. This makes compliance increasingly difficult."
Trombley says the European Union General Data Protection Regulation, which focuses on moving information between borders and the "right to be forgotten" law, will influence the US environment. Also, she believes IG will be impacted in terms of policy, procedure, accountability, and compliance by US privacy laws enacted by both states and the federal government.
Crabb says reporting organizations must be confident that the data being received are accurate, reflecting the importance of IG's principle of information integrity, a concept that must begin at the most granular level. In essence, data are the building blocks of enterprisewide information, she notes. "Like the elements of the periodic table, they get combined in myriad ways to create information," Crabb explains.
The reservoir of data required to be maintained by health care organizations figures to increase substantially. "We believe that the principle of retention may come into play more significantly as population health and precision medicine initiatives may call upon longitudinal and historical information sets," Crabb says. "Health care organizations may be subject to a broader set of information retention mandates in support of these initiatives."
IG initiatives also may be impacted as the interoperability roadmap takes shape. Crabb points out that virtually every IG principle can be applied to interoperability efforts, in particular the provisions and ideas put forth in the roadmap.
Despite presenting several challenges, it's apparent that health care organizations with strong IG initiatives are in a better position to meet the plethora of federal requirements that lie ahead.
— Selena Chavis is a Florida-based freelance journalist whose writing appear regularly in various trade and consumer publications, covering everything from corporate and managerial topics to health care and travel.