• Data Integrity
• Data privacy
• Data Provenance
• Data Security
• DirectTrust
• Interoperability
• Ransomware

Many questions swirl around data integrity and inviolability

While healthcare organizations have made huge investments in electronic records systems during the past two decades, most are still waiting to realize the hard benefits of their automation efforts. 

The systems have returned efficiencies in cataloging and improving access to patient data, but new challenges that have lurked in the background now are emerging as barriers to achieving long-awaited deep benefits from using the systems. 

Even with 97 percent of hospitals and about 80 percent of physician offices using electronic health records (EHR) systems, experts say healthcare organizations are wrestling with foundational issues that are standing in the way of gaining substantial benefits from the systems. These include: 

To discuss these challenges and potential ways to resolve them, Health Data Management brought together key thought leaders to define key issues and offer hope for the future. They included: 

Data needs are changing 

The shift to EHR systems has been aided by federal stimulus programs, and the digital systems have proven valuable in recording patient information and facilitating reimbursement. But now, the industry needs a cultural shift in thinking, and in refining processes to achieve efficiencies and make better use of data to improve care outcomes, Tripathi contends. 

“It was just a short decade ago when less than 50 percent of healthcare delivery systems even had digital data, so we’ve made a tremendous amount of progress,” he says. “Healthcare delivery systems are starting to recognize that they should be thinking of themselves as digitally native. It takes time; process always lags technology change. You start to slowly have people realize that, ‘Wait a minute, I should be really redrawing the way I do all of these things.’ ” 

Ensuring that patient data can be widely shared and used by a variety of players within the industry is a complex challenge, Tripathi asserts. That’s because each provider organization captures documentation in ways that are specialized for them, to achieve their business processes. “They may feel (it’s) very high-integrity data, because it serves their need for documenting medical records for the purposes of clinical care. A research organization may get that data and say, ‘Oh, the quality of this data is terrible.’ Well, that data was never generated for your use. 

“We’ve got a very fragmented healthcare delivery system, and at the larger frame, there’s life sciences, healthcare, human services and public health ecosystems. So, you have many sources of data, each with their own definition of integrity.” 

Ensuring the integrity of data 

Beyond just data quality, healthcare must transition into adopting practices that can ensure that entities within healthcare can unequivocally trust and rely on that data to make care-critical decisions, Smith contends. 

He supports an overarching need for data provenance, which ensures the reliability of data by providing a verifiable “chain of custody” for data, creating a zero-trust security approach and decentralized identity protection to achieve more meaningful interoperability. 

The interoperability question doesn’t just involve liquidity and reliability, but it is more foundational and involves data provenance, he says. “How do you have a cryptographically verifiable chain of custody over data from the source to any destination,” while ensuring that the data arrives complete, without any changes, Smith asks. That needs to happen without the recipients who consume the data to face the “high burden of re-verifying the chain of custody of that data. You want it to be automated” and not a manual requirement that adds burden to the process, he adds. 

Ensuring provenance is a challenge, but it represents only “one part of the problem of interoperability in healthcare,” Tripathi contends. Because healthcare data is shared among so many entities in the industry, achieving semantic interoperability between disparate systems also stands in the way of progress. “If you want to be able to have that kind of semantic interoperability that helps support automation, you end up requiring it in certain areas, depending on the transaction type among certain intermediaries, which, of course, raises vulnerabilities.” 

The use of standards within healthcare has only provided partial answers, he says. “We’ve got no shortage of standards. But how do you figure out, for each of the types of information that you’re thinking about, the set of incentives that drives enforcement of standards?” For example, there’s wide acceptance of consistent billing codes, “because the minute that I submit a bad code to Blue Cross, I don’t get paid,” Tripathi explains. Standards are also widely accepted in e-prescribing, which have “a sort of a payment mechanism that has enforcement built into it.” 

But he contends that lab standards aren’t widely used “because it’s so fragmented … and there is no incentive for using any particular lab standard … (and there’s no) business or governmental regulatory imperatives that force people to standardize.” 

Security challenges impede progress 

Additionally, rising instances of cyberattacks are impacting trust in data and digital care systems, at a variety of levels, these experts said. 

Within delivery systems, information integrity is called into question by the rising numbers of ransomware attacks. Cybercriminals increasingly are using ransomware, which holds data and systems hostage until an amount is paid to unshackle the data, pressuring providers because such attacks cut off access to patient records that are often critical to providing care and ensuring patient safety. The healthcare sector reported 249 ransomware attacks to the FBI in 2023, making it the leading sector targeted by criminals. These and other cyber incidents are eroding patient care and trust, industry experts contend. 

More broadly, others worry that the push toward interoperability and more open standards for exchanging data will increase the number of attack vectors, providing more weakly defended entry points for cybercriminals. Smith lays part of the blame on the use of security prevention approaches that haven’t kept pace with criminals’ tactics. 

“As the attackers have become increasingly sophisticated, most of the security systems are just broken,” he says. “How do we fix security systems that we haven’t fundamentally changed in 30 years? We’re still using the same levels of security systems as we did 20 to 30 years ago, and we just keep piling more on top of them. How do you make all of these organizations that have different trust domains be able to interoperate so that they can trust each other’s security systems?” 

Integrity is crucial to unlocking interoperability and gaining more benefits from digitized health data, says Walsh of tw-Security. “When I go back to the fundamentals of information security, there’s the acronym CIA – confidentiality, integrity and availability. There’s a lot of focus on the confidentiality part. There’s a lot of focus on the availability part, but what’s really lacking is focus on the integrity part. For it to work, we have to trust the data. 

“When I saw the health information exchanges start up, what I observed was that emergency room doctors wouldn’t trust any data they got off a health information exchange. They would still order new tests, because no doctor is going to risk medical malpractice by trusting data they got from an unknown source.” 

Various approaches are being used to bolster data integrity, such as digital signing or public key infrastructure (PKI) approaches, but those are dependent on industry-wide acceptance and trusted management of an agreed-upon standard. 

Some initiatives are underway, Smith said, noting that DirectTrust has formed a working group focusing on governance, with the intent of taking lessons learned outside of healthcare and to create a legal entity identifier that will serve as a verifiable credential to ensure data provenance. 

Protecting organizations and their data is crucial because fallback procedures in the event of an attack are ineffective and detract from efficiency, Walsh notes. For example, reverting to paper records while organizations recover from a cyberattack isn’t something that clinical staff are familiar with now. “In a lot of organizations today, with their nursing staffs, if you said, ‘Go back to paper,’ they’re going to look at you like, what are you talking about?” Additionally, merely scanned images of paper records jotted in the interim is ineffective because those scans typically are only pictures of documents and can’t be searched or used to power clinical decision support systems. 

Trying to patch the vulnerabilities 

Organizations face data integrity challenges because of the large number of systems being used to provide care, Smith noted. “CISOs in this space are saying we’ve got hundreds of pieces of software, and we don’t know what is getting installed, and we don’t even have a way to do a risk assessment of what are the ways to exploit our systems.” 

Tripathi notes that, at the end, users remain one of the biggest vulnerabilities for current systems in healthcare. “It’s the people-process-technology thing,” he contends. “Some of the biggest security incidents that we’ve had haven’t been people hacking into systems. It’s the human hacking, it’s the phishing email that an authorized user clicks on, and now, all of a sudden, you’ve got a big ransomware problem. 

“One of the key things that you know about as part of the challenge is this is a fundamental change in infrastructure across 5,000 hospitals, and you’re not going to do it overnight.” 

“You have to do it a piece at a time … you’re not going to unwind 30 years’ worth of infrastructure” quickly, Smith added. “But if you don’t start unwinding it, it’s never going to get fixed.”