May 29, 2013

What Is Big Data?
Big Data and Healthcare = Big Opportunity
But Big Data Also Means Big Challenges
Are You HIPAA Ready For The Big Data Era?
Healthcare Companies Need More Regular Check-Ups Than Most Companies

If you saw Brad Pitt in Moneyball, watched the last Presidential election, or even looked at your last 401K statement, you’ve seen Big Data in action.

It’s transforming everything in business, including healthcare. But like any significant change, it’s important to recognize that it brings both opportunities and challenges.


When people think of Big Data, they tend to imagine a bigger set of data than usual --even if they don’t have the slightest idea what “usual” looks like. In reality, we’re talking about a collection of data sets that are so large and complex that normal database management tools and processing applications would collapse under its weight.

Big Data is akin to an 18-wheeler trying to move Yankee Stadium!

There are two main reasons businesses are working with far more data than usual. The first is that computing has gotten really good at deriving more information out of the “small data” we already have: businesses can now spot trends, fight crime, and determine real-time traffic conditions. The second is that we’re rapidly moving from being able to only understand “structured data” to being able to more easily parse “unstructured data”. (Structured data is like the contacts on your computer, with labeled fields for name, address and phone number. Unstructured data is like a recording of a conversation – there is information in it, but if a person mentions where someone lives, they don’t say, “First Name, Last Name, Address, City, State, Zip Code”, before giving the address.) As the technological capabilities to understand unstructured data make some significant headway, it becomes increasingly more apparent that unstructured data provides corporations across all types of industries, with new opportunities.


Intelligent analysis of Big Data can help healthcare companies recognize trends that would otherwise be invisible, improve their ability to peer into the future, improve outcomes and shrink costs.

That’s a powerful set of incentives, and the need to shrink costs in healthcare is particularly compelling. The United States currently spends 20 percent of its GDP—an estimated $2.8 trillion for 2013—on healthcare. And a 2009 report by consulting firm McKinsey & Co. revealed that the healthcare IT industry alone can save up to $450 billion if they use big data analytics and patients make the right choices about their care and lifestyles.

Following are examples of big data analysis at work:

  • Using Google Maps and free public health data, the University of Florida created heat maps for municipalities based on factors including population growth to chronic disease rates, and compared those factors to the availability of medical services in those areas. This enabled the university to identify three Florida counties that were undeserved for breast cancer screening and subsequently redirected mobile care units.
  • IBM worked with Premier Healthcare Alliance to connect different data sources and metrics to see the “big picture” of how to drive healthcare transformation. Today, its members analyze data from more than 86,000 healthcare providers, and identify best practices to improve patient health while safely reducing healthcare costs.

In one Premier project, 157 participating hospitals saved an estimated 24,800 lives while reducing healthcare spending by $2.85 billion dollars.


Big data tools also enable the healthcare industry to gain transparency by making information in electronic health records (EHRs) usable, searchable and actionable. Still, healthcare IT tends to lag behind retail and banking in Big Data – for some very good reasons.

For one thing, competition for Big Data experts is daunting.  McKinsey estimates that by 2018, the United States will be short 2 million workers with skills required for data analysis, data management and systems management.

For another, the most important ethical and legal obligation any healthcare provider has is to protect patient confidentiality. More data moving faster across more and more devices and databases makes securing data harder than ever. Healthcare providers must de-identify patient records in databases and be vigilant about potential data leaks.

Also, any fast-growing company or one that has short-term projects is vulnerable. It’s not unusual for 60 day healthcare IT projects to be compressed into 15 days. Security is generally the first casualty; things that should be double-checked aren’t.
EHRs, qualified resources along with time and cost pressures are just the tip of the iceberg. Let’s not forget an environment that is highly regulated and controls federal and state mandates.


At the heart of these regulations is HIPAA which attempts to ensure that healthcare organizations are properly handling people’s Electronic Protected Health Information (ePHI). Is the data safe? Can it be properly sorted and tracked? Who can see the data? More data, more data sets and more derived data from those data sets, translates into more data to be careful about.

In an effort to continue to strengthen the privacy and security protections stated under HIPAA, on January 17th some significant amendments by the US Department of Health and Human Services (HHS) were made, calling for more advanced security controls.  The new rules were based on changes under the Health Information Technology for Economic and Clinical Health Act “HITECH Act” and have developed into a much more stringent standard regarding when notification is required after a breach and broadened the entities to which breach notification applies.  Previously, the burden of notification fell on Covered Entities, which are defined under HIPAA as “health plans, health care clearinghouses and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.”; however, the new rule will now extend to contractors and subcontractors that handle PHI on their behalf.  Another significant change made to the breach notification rule was regarding the “harm threshold”, a more subjective measure of determining whether a breach could or will cause harm to one or more individuals. This has now been replaced with a more objective risk assessment process to determine if protected information has in fact, been compromised.  Corporations aiming to gain from the value of big data need to understand that much more advanced security controls are required.  Non-compliance can lead to serious civil and criminal penalties as well as damage to one’s reputation. Under the amended rule there will be stiffer and more frequent penalties (six to seven figure civil monetary penalties).

In the spring of 2012, a privacy class action law suit was filed against St. Joseph Health System which operates three hospitals in Sonoma and Napa Counties in California.  The suit claimed that the health system was “negligent” and that it “unlawfully failed to maintain and preserve the confidentiality of patient information”.  Over 31,800 patients were affected by the security breach.  St. Joseph’s subsequently faced multiple law suits, one of which filed in Sonoma County, was for $31.8 million dollars.  (that’s $1,000 for each patient).  Other health systems have seen lawsuits in the range of $500 million.


Because patient data is particularly sensitive, and because HIPAA compliance is a requirement, healthcare companies need to be particularly vigilant. In our practice, we often find that a significant number of employees are not aware of the HIPAA policies in place and how they apply to their job. Couple this with a high rate of employee turnover, organizational policies and procedures tend to be forgotten, or not properly followed. Lastly, even the best organizations need to institute a regular regimen of network penetration testing to identify new vulnerabilities that a malicious user could attempt to exploit.

A simple way to check whether your organization is HIPAA-ready is to ask your legal council when the last HIPAA audit was completed. Typically the vendor will have provided a binder at the end of the engagement, detailing compliance. If there’s no recent binder, you may be at risk.

Capsicum continues to support HIPAA-readiness and awareness for its clients. Isn’t it time for your organization to take control?

Capsicum Group, LLC, is a technology and consulting company devoted to helping businesses improve operations and successfully complete technology-related projects. Its practice is focused on various disciplines including: digital forensics and investigations, data and tape recovery, electronic and paper discovery and technology security and compliance. Contact Capsicum today!


(Source: Time.