Healthcare Information Security

Cloud News

How NKR Used Healthcare Cloud for Secure Patient Data Storage

The National Kidney Registry opted for new healthcare cloud options to meet HIPAA compliance, harden database security, and optimize performance.

- Utilizing healthcare cloud options can help organizations strengthen secure patient data storage, and improve overall efficiency when it comes to patient care.

Healthcare cloud security can play critical role in patient data storage

The National Kidney Registry (NKR) opted to work with Rackspace for healthcare cloud options, and to improve its data storage options, NKR Director of Education and Development Joe Sinacore told HealthITSecurity.com.

Sinacore said that he has been at the NKR since its conception in the summer of 2007, and is proud to be part of an organization that is helping individuals in the transplant process.

Typically when someone needs a kidney, there is a person in their circle of family or friends who is a donor, Sinacore explained. However, sometimes that person is not compatible for a couple of reasons.

The first barrier is the blood type not being a match. The second barrier is tissue type, and the third is areas such as size or age. For example, an 18-year-old should not be receiving the kidney from a 70-year-old donor.

READ MORE: Maintaining Healthcare Security Compliance in the Cloud

“Those are the kind of barriers to the matching part of it,” he emphasized. “Often these folks are have weak compatibility. We have about 80 transplant centers so far, coast to coast. They have these patients, typically pairs, such as a mother, daughter, father, son, close friends. There are typically 300 to 400 of these pairs that are seeking a better match, and they all go into a centralized database. All of the matching criteria and the matching variables.”

Sinacore continued that the NKR will then search for the possibilities of creating a kidney swap, which is where an individual’s donor becomes a match for someone else in the country. That person’s donor becomes a match for someone else, and then someone else’s pair’s match becomes a match for your loved one.

“This is put together in an exchange all typically around the same day, and that's an even exchange with two or three pairs of donors and recipient,” he added.

NKR also has an exchange called a donor chain, which is the same concept, Sinacore explained. There all of the pairs, but there is a Good Samaritan donor who wants to donate to a stranger, and does not have a preference on who their kidney goes to. This person is also called a non-directed donor.

“Though their match, whichever paired recent in the pool that they're a match for, the kidney goes to that person, and then that person's donor pays it forward to the next pair,” he said. “You pay it forward until you end the chain.”

READ MORE: Unauthorized Access, Malware Top Cloud Security Worries

Sinacore said that NKR is a private entity, and is a non-profit organization. However, it has a fee schedule, where hospitals pay fees for NKR to perform the matching and logistic services that re involved in facilitating the kidney swaps.

“The compliance aspect of things really is driven by the transplant centers, and of course the government as well,” he stated. “The transplant centers are governed by the Organ Procurement and Transplant Network, which is part of the Health Resources and Services Administration. Under that there is an organization called the United Network of Organ Sharing, which oversees things as well. There are UNOS guidelines and in addition to that, there are CMS Medicare services.”

There is a very high percentage of patients who are receiving kidneys on Medicare, he noted. These individuals have been on dialysis, and may not have worked in several years.

NKR has also set up its own medical board that was assembled with representation from many of the top transplant centers in the network, Sinacore explained. It includes doctors, nurses, and scientists. That medical board guides NKR policies and member centered guidelines for how it operates.

Making a change for improved healthcare data security

READ MORE: Utilizing Cloud Computing for Stronger Healthcare Data Security

NKR was first based on fundraising, and then began to grow as dozens of transplant centers began to work with the system, Sinacore said. As the volume started to come through, the revenue started to come in.

“We realized that in order for us to continue to grow we couldn't just simply have servers sitting in our own little data center without us starting to invest a significant amount of money into building out a more robust data center,” he recalled. “We also needed to hire people to operate it.”

Sinacore added that NKR realized it was probably smarter and more efficient for it to outsource the whole thing. The email server was the first step, and NKR moved that over to Rackspace. He noted that it was an important move because the switch happened just months before Hurricane Sandy made landfall.

“Our operation in Long Island was without power or communications for over a week,” Sinacore said. “Had we not moved over that email system first, we would have been out of business because that's the primary method that we use to communicate with all of these transplant vendors, all of the match offers that we send out, and all the logistics.”

Shortly after that, NKR started to migrate its servers that it uses for everything else. Sinacore stated that the organization felt that it needed more control over the structure of the database, the coding that supports it, and all of the functionality for managing its logistics and workflows.

“We moved all of that stuff over to servers at Rackspace, and we felt that we were concerned about uptime,” he explained. “Number two, the maintenance, the cost and the resources required to keep the maintenance and keep it up and running. Then the ability to expand quickly, because we knew that we were having a significant growth rate. We're doubling our transplant volume each year for a number of years.”

Sinacore pointed out that more recently, NKR realized that it had to step up the security aspect of things. In the beginning they were not dealing with personal health information, he said. NKR de-identified all of the patients in the system.

“In the beginning we said, ‘All right. We don't want that to hold up our ability to get patients transplanted.’ We stared without any personal health information,” Sinacore reiterated. “This is just the bare minimum of information we need that's generic. You can't identify the patient with it, so we can get the transplants done.”

As the business grew NKR realized that its ability was being limited. For example, if a blood draw kit needs to be mailed to a donor directly, their address is needed, Sinacore explained. Or, if NKR wanted to set up a system to store abdominal scans and imaging, those images have personal health information on them.

“We came up with a generic business associate agreement and told all our transplant centers we're going with this now,” Sinacore recalled. “At the same time, we installed a HIPAA compliant server at Rackspace that Rackspace provides. It has a service that provides and it monitors all of the data going in and out through the firewall to make sure that we're not exposing any of this personal information to the wrong people.”

NKR also upgraded to a managed security platform through Rackspace as the business continued to grow, he explained.

Using healthcare cloud for data breach prevention

One of the short term benefits of outsourcing certain privacy and security measures has been that NKR hasn’t needed to hire its own works in those areas. Instead, hiring more programmers to build tools for NKR can be an option.

In the long term, Sinacore underlined the cost savings aspect in terms of recovering from a possible healthcare data breach.

“We can’t afford to have any incidents where someone breaks in and starts taking data,” he said. “To avoid that altogether, the data is kept secure so we can sleep at night.”

The healthcare industry is one that is really one of the remaining laggards around adopting a lot of new things in the world if IT, including the cloud, said Brannon Lacey, general manager of Rackspace Managed Security.

“A key aspect that has to be addressed within that journey into the cloud is around security,” Lacey explained. “With the change of landscape around security, one where you now have advanced persistent threat actors that are no longer just sort of college students in basements, but actually backed by nation states.”

When that is coupled with the sensitivity of data within the healthcare world, there is a real “powder keg,” he added. If not managed correctly, it poses a lot of risk to an enterprise or an organization, whether they be for profit, nonprofit or otherwise.

“If you do good security and you manage compliance tightly, you turn security and compliance into a business enabler instead of a business restrictor.”

Utilizing secure, efficient patient data storage

As other healthcare organizations consider new options in secure and efficient patient data storage, Sinacore advised that they assess their needs and resources. That way, entities can ensure they can afford the resources to match the needs of data security. If there is a mismatch, then they need to outsource.

“Even the best security people and the best off the shelf security appliances and tools take a lot of time and learning,” he said. “There is a learning curve behind them, and trying to keep them all up to date is not easy to do.”

However, working with a third-party company where that type of data security is their main focus is extremely comforting, Sinacore insisted.

“I want the people who have a vested interest in not just protecting my business, but everybody’s business and their own reputation. Seeing all of the resources that they put in on this, I don’t know how you can do it any better than that.”

Dig Deeper:

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks