Personalized medicine promises compelling benefits in improving the quality and reducing the cost of healthcare. Personalized medicine is enabled by powerful new types of sensitive data including genetic information about patients. To ensure these benefits are realized quickly, effectively and smoothly it is desirable to avoid security incidents such as breaches. In prior blogs I discussed how to manage privacy and security risks, and securely collect and use data for personalized medicine. In this blog I focus on how to retain data for personalized medicine.


When looking at retention it is useful to consider the types and characteristics of the data used in personalized medicine. The types of data powering personalized medicine range from the original blood or saliva samples used to get genetic information for a patient, to the raw genomic data for a human which is approximately 3.2Gb in size, as well as various other types of derived data. One of the key steps in deriving meaning out of the raw genomic data involves comparing this raw genomic data to baseline genomic data to derive a variance file that is much smaller in size, highlighting only the interesting variations in the genomic data of the specific patient. The data points in the variance file are referred to as SNP’s. Lastly, a risk factors report can be produced from this variance file, highlighting the patient propensity to various traits such as diseases. This report may also highlight pharmacogenomics, specifying the efficacy or toxicity of various drugs to the patient. The risk factors report is often included in the EHR for the patient.


Genetic data are considered PHI and subject to federal regulations such as HIPAA, HITECH Act as well as state level regulations such as for breach notification, for example CA SB 1386, and subject to privacy, security and breach notification rules. The 2013 Cost of a Data Breach Study estimates the average total cost of a data breach in the US in 2012 at $5.4M. Clearly a major business impact. Avoiding such incidents requires a proactive approach to privacy and security.


Location of data retained has a direct impact on regulations and data protection laws that apply. This includes not only the primary backend servers, but also Business Continuity / Disaster Recovery sites, backup sites and any business associates or data processors that may also retain sensitive data. Recent studies and incidents point to the risk of BYOC (Bring Your Own Cloud). To ensure sensitive data for personalized medicine stays in the cloud where it is supposed to be, under the control of the healthcare organization with effective privacy and security controls, it is necessary to ensure solutions are usable, security is not cumbersome, and IT within the healthcare organization is responsive and not overly restrictive.


De-identification is a key safeguard often applied to enable research and mitigate risk of security incidents such as breaches. Various methods exist for de-identification. This can involve removing specific elements of PII, such as in the HIPAA Safe Harbor method. Alternatively a risk based method such as the HIPAA Statistical Method may be used. De-identified data often has some small risk of re-identification, and research has shown that it is possible to re-identify patients using de-identified genetic information. Further, some types of research require some elements of PII, for example phenotype research may require zip code. A practical approach to effectively mitigating risk of sensitive data retained for personalized medicine requires a holistic approach where administrative, physical and technical controls are applied in combination, together with a multi-layered approach where for example de-identification is combined with tokenization, access controls, encryption and so forth.


To ensure solutions are usable security must not be cumbersome, otherwise research shows that non-compliance and BYOC and other risks can increase. Hardware assisted security such as encryption acceleration enables such technical security controls to be implemented with improved performance, robustness to increasingly sophisticated malware, improved usability, and reduced cost. Performance testing shows that such an approach can be very effective in enabling sensitive data to be retained in a highly secure manner with minimal performance and usability impact.


What kinds of strategies are you using to protect sensitive data for personalized medicine?

Below is the first in a series of guest posts from Nirav R. Shah, MD, MPH, the commissioner of health for the state of New York, on healthcare information, clinical analytics, and interoperability. Look for his posts in the Intel Healthcare Community over the next few months.


We’re getting a lot of attention in New York these days for opening up the state’s health data on our new site, In fact, New York won the first annual Data Liberators Award at Health Datapalooza in Washington, D.C., a few weeks ago.


The process of opening up our health data has taught us some valuable lessons, lessons worth sharing with decision-makers in health care and government. Here are three of the most important:


Patients Own the Data

It’s easy to argue that the hospital who treats a patient owns the information gleaned from that encounter or perhaps that it belongs to the insurance company that is paying for it. I’m sure a good case could be made for any of the parties eager to stake their claim on the data.


But I contend that the data belongs to the patient. It’s the patient’s blood pressure numbers, surgery results and medication records. And it’s up to patients to decide whether they want it made available to others. In deciding what to do with data, we should always place the patient’s interests at the top before doing anything else.


Privacy is Essential

The secrecy of data is big news these days. Nowhere is privacy more important than it is in the realm of health care.


Health data is unlike other kinds of data, a truth that is most apparent for those of us who grew up in the era of HIPPA laws. Health information often contains closely guarded secrets that aren’t discussed in hospital elevators or within earshot of the next patient in line, or in polite company.


Even now, in the era of Twitter and Facebook when many people think nothing about revealing intimate details about their lives, the privacy of health information must be a priority. Most people don’t want others to know that they’re struggling with depression, taking a stimulant to control ADHD or undergoing infertility treatments. These are private, intimate medical details, and it’s up to the government to create laws that ensure they remain that way.


Privacy protections are critical, however we choose to use data. Otherwise, we might risk losing the privilege of tapping that data.


The Benefits of Sharing

As a society, we can reap many perks from sharing health information. Individual data by itself has little value if it’s in a silo at your doctor’s office, the insurance company, or your local pharmacy. The power of Big Data emerges only when it’s pooled together. As Ginni Rometty of IBM says, “The value we create today is by sharing.”


Up in New York, we have already proven that shared data can be used to improve population health without compromising privacy. Take for example our data on the percentage of students who are overweight or obese. The information comes from 680 school districts in New York, but no where do you find the names of any individual students. 


Schools can use that information to create school lunch menus, determine physical education standards or set recess schedules. Community organizations can use that data to create programs in their towns. Physicians can look at that data to get insight into their patient pool.


In this era of health reform, health data of all kinds – big and little -- are going to play a significant role in improving care and containing costs. But using data wisely starts when we acknowledge the patient’s rightful ownership of that data, then  the importance of privacy against the potential that can be achieved by sharing.


What questions do you have?


Big data in healthcare is gaining a lot of attention as the drive to personalized medicine shifts into high gear. Recently, the Bipartisan Policy Center hosted a forum that focused on improving healthcare through the use of big data. We were fortunate to catch up with several thought leaders at the event and find out where the puck is headed with using big data to improve patient care.


In the above video, Sen. Ron Wyden (Ore.), J. Leonard Lichtenfeld, M.D., Deputy Chief Medical Officer, American Cancer Society, and Nirav Shah, MD, MPH, Commissioner of Health, State of New York, share their visions of how big data will impact healthcare going forward and the steps needed to harness the power of information within big data for better patient outcomes. Take a look and let us know what you think.


What questions do you have about big data?

In my last blog, How to Securely Collect Data for Personalized Medicine, I discussed risks and safeguards for how to collect data for personalized medicine. The next step in the information lifecycle after collection is use, and I’ll focus on privacy and security concerns, risks and solutions in the use of sensitive data for personalized medicine.


During the collection phase a blood / saliva sample is typically acquired from the patient. Sample(s) are then sequenced to create the raw genome sequence data.


The raw genome sequence data for the patient is then compared to a typical raw genome data baseline data set to create a variance file, or a data set with points of interest where the patients raw genome deviates in interesting ways from the baseline. This raw genomic sequence data set can be very large, ranging to more than 3GB in size. Genomic databases can also contain tens or hundreds of thousands of raw genomic data sets. Maintaining security with such large data sets requires special attention to performance. Examples include hardware accelerated encryption, for example with Intel® Advanced Encryption Standard – New Instructions (AES-NI). Such hardware acceleration can be used in the high performance encryption of databases such as InterSystems Cache.


The variance file may then be annotated to attach meaning to the points of interest where they have been correlated with known conditions or traits, perhaps an increased propensity for a specific disease, or for pharmacogenomics where a specific point of interest in the variance file is associated with increased efficacy or toxicity of a given medicine.


Lastly, a risk factors report is produced from the annotated variance file and may be used by the healthcare professional to deliver personalized medicine.

The risk factors report may then be attached to the electronic health record (EHR) for the patient.


Clearly there are several data sets through the use of sensitive data in personalized medicine, from the raw genomic sequence data, to the variance file, risk factors report and patient EHR, and these need to be protected in confidentiality, integrity and availability.


Healthcare organizations using genetic information must constrain their use of this data to usage(s) specified in the privacy notice given to the patient prior to the patient granting consent to use their genetic data.


On the regulatory front, the Genetic Information Non-discrimination Act (GINA) prohibits the use of genetic information from any of these data sets by group health plans and health insurers for the purpose of denying coverage to a healthy individual or charging that patient higher premiums based solely on a genetic predisposition to developing a disease in the future. Genetic information is also considered Protected Health Information (PHI) and an organization using genetic information may be subject to the Health Insurance Portability and Accountability Act (HIPAA).


For healthcare organizations using genetic information in the United States, the Health Information Technology for Economic and Clinical Health (HITECH) Act requires organization subject to HIPAA to report data breaches affecting 500 or more individuals to Health and Human Services (HHS) and the media, in addition to notifying the affected individuals. Many states now also have breach notification laws, for example California SB 1386 requiring notification of affected individuals in the event of a breach of their sensitive information, which would include PHI such as genetic information that could be associated with them (was not de-identified).


Recently, the HIPAA Omnibus Rule became effective and includes further changes to when healthcare organizations must report breaches, together with new requirements Business Associates to comply with HIPAA Security and HITECH Act breach notification rules, holding them directly accountable for doing so. Business associates may include data processors that use genetic information in providing services to healthcare organizations. Disclaimer: this is publicly available information and not a legal summary or advice about regulations.


Personalized medicine use of sensitive data may also involve sensitive Intellectual Property (IP), especially in algorithms and knowledge bases used to analyze and assign meaning to genomic data. This IP must also be protected.


What types of privacy and security challenges and solutions do you see with the use of sensitive data for personalized medicine?

There’s essentially a 1-in-5 chance that a Medicare patient will be readmitted within 30 days of being discharged from a hospital.


The U.S. government estimates $17 billion USD a year could be saved by preventing unnecessary readmissions through better care coordination, not to mention the improved quality of life and lowered infection risk for patients who don’t have to go back to the hospital.


Under new federal rules, hospitals with readmission rates considered too high now carry risk of having portions their Medicare reimbursements withheld.


The hospital discharge summary is an important document to aid communication that can prevent unnecessary returns to the hospital. If incorporated into an effective workflow, it helps open a window of opportunity for patients and their normal care teams to get on the same page with the hospital on next steps, such as making follow-up appointments, monitoring to prevent complications, managing a new medication regimen, etc.


So, if each hospital creates a better discharge process, we will tackle the readmission problem, right?


Not entirely.


The problem, especially in metropolitan areas, is that patients go to several providers, and a few different hospitals. Therefore, the needed care coordination cannot be confined to one hospital alone. It needs to be spread across the community, including the patient, the patient’s primary care provider, specialists, and in some cases, non-traditional health workers. And to do that efficiently, communities need to standardize the discharge document as well as some targeted post-discharge interventions.


That’s the fundamental premise behind an important project that a small Intel team joined in the metropolitan area of Portland, Ore.  We were honored to work with a team led by Melinda Muller, MD, of Legacy Health, who directs a pilot to standardize the discharge summary and process.


We describe the project and its initial lessons in a new whitepaper: Developing Community-Based, Standardized Hospital-Discharge Summaries.


There are other efforts all over the world to improve the discharge summary process. We’re interested in your thoughts.


What’s happening in your community?

It’s vividly educational to pitch in on the front lines of a grand challenge like the Oregon Experiment, sometimes described as “ACOs on steroids.”


• How do you take a financially strapped program (i.e., Medicaid), nearly double its size, control its per capita cost growth, and deliver better care and service to its patients?


• How do you create more cost-effective clinical workflows across organizational boundaries among traditional competitors?


• And how do you use IT to support the program’s lofty goals?


Observers of the movement toward accountable care organizations (ACOs) will look to Oregon for evidence of success or failure. To be fair, it will take a few years to defensibly answer these fundamental questions.


What we can say definitively now is that the journey is as necessary as it is fascinating. We describe it in a new white paper, ACOs on Steroids: Why the Oregon Experiment Matters.


Health Share of Oregon is a lean startup organization that administers a Medicaid transformation project involving several healthcare providers and public agencies in metropolitan Portland.  Health Share of Oregon’s broad ambitions, as well as its birthing pains, demonstrate the opportunities and barriers to healthcare transformation efforts that go beyond tinkering at the edges.


I’d like to recognize the great work of Intel colleagues Stephanie Wilson and Prashant Shah, who dug in with Health Share of Oregon’s IT team for about nine months to help get the project started under very tight deadlines. We learned a lot and felt honored to work together with the Portland area health IT community.


In healthcare, it’s the long haul that matters. Although the startup phase may perhaps be the most exciting, the ultimate success of the project will be determined through the ongoing hard work to continuously improve. It will take the whole community of Medicaid providers, IT professionals and health data experts to answer the grand questions of the Oregon Experiment.


Our thanks go out to the whole Health Share of Oregon community for their efforts to create a safer, higher-quality and financially sustainable system for people with lower incomes and barriers to healthcare access.


Because of the Medicaid expansion under the Affordable Care Act, the federal-state program is in need of healthcare leaders and IT professionals willing to innovate.


Do you see innovations happening in your community? What’s working and what’s not working?

China, like the rest of the world, is dealing with a massive aging population. Add to this a rising middle class migrating to the cities and a changing family structure and the stresses to China's healthcare and social services systems are huge. China's government, recognizing these challenges, has provided leadership in its 12th 5 year plan outlining policies and funding providing for technology enabled aging services. 


I recently attended the China International Senior Services Expo in Beijing. This conference, sponsored by the Chinese Association of Social Welfare (CASW) under the Ministry of Civil Affairs (MOCA), was a combination of policy articulation and technology and service vendors offering health, wellness, spiritual, and housing solutions. In fact, Intel is working with the Chinese government on an Aged Friendly City Initiative and you can read more about this innovative venture in a new white paper.


As I walked the floors of this expo, I was struck by the innovative and comprehensive set of technologies and solutions on display. There were:


• Smart phone applications for medication reminding, calendaring and caregiver communication 

• Community-based remote patient monitoring solutions (vitals, weight, video conference); some standalone but many that provided call centers for consultation

• Many different shapes and sizes of Win8* touch and Android based mobility solutions

• Wearables (e.g. watches) that track wandering or aid with fall prevention and emergency response

• Real estate companies who were providing assisted living facilities as well as group vacations and other services for elders. 


What surprised me the most was not the Chinese uniqueness of these solutions, but the commonality of need. I could have been in any country, speaking any language. These needs are the same experienced by countries all over the world who have aging populations.


The unique aspect in China is the magnitude of deployment occurring. Many of these vendors claimed deployments in the "thousands"...still a tiny fragment of the Chinese market but significant nonetheless. It made me think that China could be the place that gets this right. It has all the elements: the need, the urgency, the policy, the funding, and the innovation.


Remember to check out this white paper on the Aged Friendly City Initiative.


What do you think?

For the past 12 years or so, San Francisco-based MedAmerica has relied on a web portal to keep doctors in touch with other physicians and clinical staff. More recently, as the BYOD trend has helped define mobile use in the healthcare space, CIO Nancy Burghart-Hall and her team have been busy rolling out an in-house mobile app aimed at streamlining time sensitive communications among the physician practice management group’s 2,000 providers, who span 125 locations across nine states.


“Our strategy has been to manage communications among clinicians, who are located inside and outside of the hospital, as part of an overall mobile strategy,” Burghart-Hall says.


Launched in 2012, the HIPAA-secure mobile app enables communication among providers via email, voicemail, and text. It also grants access to work schedules—so physicians and clinicians can swap shifts on the fly, if necessary—and a MedAmerica directory with contacts for anyone in the organization.


With 1,500 downloads to date, Burghart-Hall feels the app’s uptake is going very well.


“Now, we want to extend it to the physicians and the communities in which we practice, to the on-call panels at the hospitals, the specialists and consultants, so that our ER doctors can talk directly, in a HIPAA-secure fashion, about a case,” Burghart-Hall says. “We’re getting ready to look at how we can include those providers in our panel groups, and allow them to download our app and use it as well.”


For Burghart-Hall, perhaps the biggest challenge associated with this project has been determining how much to invest, given that MedAmerica’s provider population is approximately 50 percent over (and under) the age of 40.


The current generational transition taking place may suggest IT is driving the adoption of technology before the other half of the physician population is ready to adopt it, but Burghart-Hall is striving for “an acceptable balance” that promises to both improve quality of care and increase efficiency.


Going forward, the IT team plans to bolster MedAmerica’s mobile app by partnering with another vendor that has a national provider directory. Such a move would greatly expand the expertise available to the physician practice management group’s ER doctors. However, the challenge here is the same as that experienced by anyone trying to exchange health information: knowing who’s on the network at all times.


Burghart-Hall says she’ll consider the project a success when providers report they’re able to communicate electronically—and efficiently—in a HIPAA-secure fashion. For the time being, though, she’s focusing on extending the app to MedAmerica’s communities.


What questions do you have?


As a B2B journalist, John Farrell has covered healthcare IT since 1997 and is Intel’s sponsored correspondent.

Below is a guest blog from Narayan Sundararajan, global healthcare program manager at Intel, who attended last month’s Global Midwifery Symposium.


Think about this: pre-eclampsia/eclampsia, post-partum hemorrhage and prolonged and obstructed labor together account for more than 50 percent of all maternal deaths in developing countries. That’s why the Second Global Midwifery Symposium in Kuala Lumpur last month was so important for introducing strategies to strengthen healthcare in developing regions.


One of the biggest strategies is introducing technology to the process.


A workshop that Intel participated in with UNFPA, WHO and JHPIEGO launched three key e-learning modules for training frontline healthcare workers and midwives on life-saving skills. The energy, passion and vibe from the participants during the training and workshop was tremendous; they all really want to make a positive difference in the world.


During the session, around 70 midwives, frontline health workers and others from more than 25 countries were trained on how to use the skoool™ healthcare education platform. The open access, no charge license e-learning application can be used both offline and online, and can house various types of content formats including the three modules on pre-eclampsia/eclampsia, post-partum hemorrhage and prolonged and obstructed labor with associated quizzes.


Each participant’s laptop was loaded with the platform and modules to take back to their respective countries. The sponsoring organizations challenged each of them to see how they could incorporate such a platform and modules in their own country’s health system to bridge the gap between lack of facilities and trainers and critical shortage of health workers.


In addition to the workshop, I gave an overview presentation on innovations as strategies and made the following key points:


• Innovation is defined as something new, fresh or improved but that creates value. And, it is important to understand where your innovation falls in the spectrum of incremental, modular, architectural or radical innovation and what the value it creates is.


• Doing that is not just a theoretical exercise but allows self-introspection on its novelty, the potential impact it will have and most importantly, the obstacles or roadblocks that will be faced and need to be overcome for its successful implementation and scaling.


• Traditionally, governments and development agencies are more comfortable with incremental innovations whereas more examples of radical innovations are found in the private sector. Hence, public private collaboration is a key to encouraging radical innovations that have tremendous impact.


A four-way collaboration between Intel, UNFPA, JHPIEGO and WHO is an example of a radical innovation that has the power to transform healthcare access, quality and cost as it exists now and in particular, revamp healthcare education and training as it is delivered today. That’s why innovation is no longer a choice, and applying technologically innovative solutions to address big problems in maternal and child health is an imperative.


What do you think?

Dr. Lyle Berkowitz, associate chief medical officer of innovation for Northwestern Memorial Hospital, believes that failure leads to innovation. His book, Innovation with Information Technologies in Healthcare and organization, Szollosi Healthcare Innovation Program, offer proof that innovation must be nurtured and that it often occurs under surprising circumstances. Read below in this 5 Questions interview for his insights and advice on making healthcare organizations more in tune with innovation.


Intel: What are three simple things an organization can do to encourage innovation? Dr Lyle pic.jpg


Berkowitz: The key is to change the culture of the organization, which needs to be both top down and bottom up. From the top, the first step is to get executive buy-in that failures are a good thing. An innovation mantra is fail fast, fail often and fail cheap…you will always learn a lot! So many hospital executives are scared of any failures, but they need to be embraced to encourage people to try new things. Second, identify someone whose role is to find new innovations for piloting and to support innovators within your organization. Give this person a small budget so they can try new things without having to go through the usual budget bureaucracy, while also recognizing that their job is to move from concept to pilot to figure out if a bigger project is warranted. Finally, consider an X-prize or crowdsourcing exercise in which your whole organization is challenged to come up with an idea that can create significant value.  If you promise to split any cost savings with the winners, you will likely be shocked with how many good proposals you will get!


Intel: Your book, Innovation with Information Technology in Healthcare, collects stories from more than 20 organizations that have successfully created and implemented new health care information technology processes. What is the common denominator across all of these successes?


Berkowitz: Our book allows the innovators themselves to tell us what they did, why they did it, how they succeeded, lessons learned, and their plan for next steps. It's like a big cookbook of recipes on how to innovate, with sections on EMR Innovation, Telehealth Innovation, and Advanced Technology Innovation (e.g., analytics, portals, mobile, and gaming). Some commonalities include having a physician or other champion with a passion for fixing something that is not working well, the patience for multiple iterations, and the skills to start something small and then expand it once it starts succeeding. Additionally, many of the stories focus less on the technology, and more on the process, business model, and sometimes legal changes needed to realize the full power of the innovation.


One of my favorite stories in the book describes how UPMC addressed an issue involving a patient who came in for antibiotics, but had a severe allergic reaction to the latex gloves used by the IV team. Although she had a known latex allergy, the IV team was not aware of this because it was not part of their workflow. Instead of simply saying, "We can improve this process by making the IV team always check for latex allergy,” the executives decided to do a brainstorming session and used this example as a starting point for how they might rethink the whole process of care at their hospital. Someone came up with the wild idea of "What if the room was alive and knew who entered and what information they needed based on their role?” That idea became a prototype involving a monitor and computer system, which used RFID to identify who entered a room, and then displayed relevant information and allowed them to enter data. The team found that this improved both quality and efficiency, and they wound up creating a company to deploy these at their hospital and beyond. It represented the whole arc of innovation—problem to brainstorming to piloting to spreading. Other stories describe how an EMR’s built-in functionality can be used to support care coordination, preventive care and disease management, and early warning for adverse events. Telemedicine stories range from traditional doctor-patient video calls to electronic curbside consults to ePharmacists and Teletranslators. And, finally, there is a section describing the use of analytics, mobile, and gaming technologies applied to healthcare.


Intel: What healthcare technology do you use and like?


Berkowitz: From a personal and business perspective, I loved my smartphone from the second I got it. It's critical for me to keep in touch with my email as I juggle multiple roles and travel away from my office several times a week. However, with respect to clinical care, my technology needs are different. I need a large-screen computer. I use an electronic medical record system and a secure messaging system to keep in touch with patients. I access UpToDate for most clinical reference, and use Google in the exam room when I need to show a patient a picture or video to get a point across. We also have a nice touch-and-go authentication system, and more importantly, for security is a system that locks my computer when I open my exam room door to leave.


Intel: How do you see healthcare technology changing in the next three years?


Berkowitz: I think there will be two major changes for healthcare.  First, I think the EMR will become more of a platform and we will see "EMR Extender Companies" building apps that sit on top or alongside EMRs to improve efficiency and quality in a variety of workflows. A company I cofounded two years ago, healthfinch, focuses specifically on apps to improve physician productivity by helping to automate and delegate certain repeatable tasks away from doctors and toward their staff (e.g., medication renewal requests). Second, I think we will see consumer biometrics get increasingly small, cheap, easy, and ubiquitous. What will then be important is to have a way for physicians to "use" all this data. I envision a future where this ubiquitous health data flows into a cloud that contains the protocols to help promote wellness in all, maintain health in those with stable illnesses, and identify outliers who need to come in for review.


Intel: What is the Szollosi Healthcare Innovation Program? What changes are you trying to make within the healthcare system?


Berkowitz: The Szollosi Healthcare Innovation Program (SHIP) is a charitable endeavor with a mission to use creative thinking and diverse technologies to produce a better healthcare experience for patients, physicians, and others associated with their care. Our work on care coordination has been highlighted in the Harvard Business Review and by the Hope Street Group. Our work on "information visualization" was highlighted at the Mayo Clinic's Center for Innovation Transform Conference.


Two of our care coordination projects were selected for the AHRQ's Innovation Exchange:


ExpectED: Electronic Handoff Notes to the Emergency Room

The Inflection Navigator: Tale of an Easy and Effective Care Coordination System


The Szollosi Healthcare Innovation Program is trying to help spread the word on the use of innovation science in healthcare to help others think differently about how to address issues we face every day.


For more insights, follow @DrLyleMD on Twitter and read his book, Innovation with Information Technology in Healthcare.


What questions do you have?

In my last blog, I discussed the rationale for applying privacy and security best practices to enable the benefits of personalized medicine while minimizing risks of breaches and other types of security incidents. One of these best practices involves walking through each step of the information lifecycle, from collection, to use, retention, disclosure and disposal. In this blog I take a look at the collection stage of the information lifecycle.


Collecting information for personalized medicine requires informed patient consent. Patients must be informed about the benefits, risks, who will have access to their data, how their data will be processed, and choices they have regarding their personal healthcare information. This includes both physical samples collected, such as saliva and blood samples, as well as the raw genome sequence data.


Research is needed to further the science of analyzing and deriving meaning from genetic information, and this research needs genetic data. Patients are typically presented with a choice of whether to participate in this type of research, and whether they want to authorize sharing of their genetic data, most often in de-identified form, with such researchers. Choices presented to the patient are typically either opt-in or opt out.


Opt in is where the patients data by default will not be shared with researchers unless they explicitly opt into sharing their data. Alternatively the patient may be presented with an opt-out choice where the default is for their data to be shared with researchers unless they explicitly opt out. These basic “all or nothing” opt-in / opt-out types of choices are often overly simplistic and don’t give the patient much control over their data. More sophisticated consent and choice mechanisms are required in the future for the patient to have greater control over who should have access to their data, for what purposes, how they can get access and participate, and so forth.


Some types of genetic research require more than fully de-identified data. An example is phenotype research which requires information about the patients environment, for example their zip code. This is location information about the patient and therefore Personally Identifiable Information (PII) which, when associated with healthcare information such as genetic information can cause the combination to be classified as Protected Health Information (PHI) under HIPAA and subject to legal and regulatory requirements, for example breach notification in the event of loss or theft. 


For this reason, tokenization is often used in the collection of genetic information for patients. Right from the time physical saliva or blood samples are taken they are often bar-coded to associate them with the patient, in contrast to labeling the samples with elements of the patient PII such as names, date of birth and so forth. Tokenization may also be used later to enable authorized access to limited PII, in addition to de-identified genetic data, in order to support more sophisticated research such as phenotype research.


Encryption may be used to protect the confidentiality of collected sensitive data at rest and in transit, including elements of PII stored in secure databases. Genetic data can take the form of very large data sets. For example a single raw genome sequence data can be several hundred GB or larger in size. Encrypting a volume of data such as this, while maintaining performance, requires hardware acceleration, such as Intel® AES-NI (Advanced Encryption Standard – New Instructions).


What types of privacy and security challenges and solutions do you see with the collection of data for personalized medicine?

Stop me if you have heard this story before: an organization has a paper workflow that involves keystroke entry, which results in errors and inefficiencies. Sound familiar?


That was the case with the Infectious Disease Clinical Research Program (IDCRP), a worldwide network of Department of Defense (DoD) clinical and research centers that have collaborated to investigate infectious disease challenges facing the military. IDCRP had a paper workflow that relied on double-key data entry into electronic data capture (EDC) systems with resulting errors, scanning and mailing of forms, and slow processing time.


The big question was, “how can this process work better?” To move beyond the inefficient system, the IDCRP turned to Mi-Forms Tablet forms technology running on TabletKiosk’s Sahara Slate PC i500 tablets to eliminate all paper forms.


The benefits of this switch were immediate and extensive. For example: 50 percent time savings, 80 percent of users grading the solution as more efficient, and total buy-in from the clinicians.


A new whitepaper goes deeper into this case study and shares more of the benefits that were realized. You can register and download the paper here.


What questions do you have? Would your organization benefit from a similar engagement?

Personalized medicine, or tailoring medicine to individuals based on genetic and other information, promises major benefits to improve the quality of healthcare. This key trend is also sure to accelerate in the next few years to a major change driver as DNA sequencing becomes more affordable and algorithms to derive meaning from this data become more powerful. Many new types of sensitive data and intellectual property are used through the personalized medicine information lifecycle from collection, to use, retention, disclosure and disposal.


HIPAA, HITECH Act, GINA, and state level regulations such as CA SB 1386 regarding healthcare / genetic information and breach notification present a complex legal and regulatory compliance landscape. Privacy and security concerns about regulatory compliance, breaches and theft of IP abound, and often impede realization of the full benefits of personalized medicine. Advancing the science of personalized medicine requires vast databases of sensitive healthcare and genetic information, and access for research.


De-identification, for example based on the HIPAA 18 identifiers commonly found in protected health information, is often applied to enable research and help mitigate privacy and security concerns and risks. However, there have been several successful high profile re-identification attempts that have correlated de-identified data with the correct patients.


Clearly, even with de-identification, there is residual risk. Compounding this, genetic information is far from fully understood, and the genetic “dark regions” we don’t yet fully understand, may well hold information that increases re-identification risks.


In my next few blogs, I’ll apply best practices in healthcare privacy and security to take an objective approach to assess risks, apply safeguards using a multi-layered approach to effectively reduce residual risk to acceptable levels. I’ll look at various types of sensitive data used through the personalized medicine information lifecycle from collection, to use, retention, disclosure and disposal, assessing risks to confidentiality, integrity and availability of the data.


I’ll also look at recent healthcare security research underscoring the importance of usability of solutions and security, how a lack of usability can adversely impact compliance and risk, and practical strategies to implement strong and usable security. Hardware based security is enabling stronger and more usable security controls that can be used as part of a holistic multi-layered approach to effectively mitigate risks in personalized medicine, enabling benefits to be fully realized sans privacy and security incidents such as breaches.


What approach are you using to manage privacy and security risks and enable personalized medicine in your organization?

In the past year, I’ve blogged about big data and cloud computing. Increasingly, the two are converging in ways that have transformative potential for healthcare and life sciences.


From electronic health records (EHR) and PACS (picture archiving and communications system) to genome sequencing machines, healthcare and life sciences (LS) are generating digital data at unprecedented rates. Much of the effort around “big data” is concentrated on deriving value from this information. Using distributed software frameworks such as open source Hadoop*, big data techniques will give us the analytic scale and sophistication needed to transform data into clinical wisdom and innovative treatments.


Cloud computing can help healthcare/LS organizations take advantage of big data analytics and accomplish other key objectives. Whether you focus on your own data center, work with a hosting provider, adopt software-as-a-service (SaaS) solutions, or combine multiple approaches, cloud models provide the organizational agility to access scalable computing resources, as you need them. Cloud computing offers well-recognized cost savings, but with all the changes and opportunities facing healthcare and life sciences organizations, the agility benefits can far outweigh them.


Intel recently developed two documents that can help you advance your cloud and big data strategies.


The New CIO Agenda takes a high-level look at key issues to consider as you move toward cloud-enabled transformation. It also provides quick examples of five leading healthcare/LS organizations that are using cloud computing to create value and enhance agility.

Big Data in the Cloud: Converging Technologies goes deeper into analytics-as-a-service models and identifies practical steps to advance your cloud-based analytics initiatives.


I encourage you to download these documents and use them as you evolve your cloud and big data strategies.  I’d also like to offer three specific suggestions that can move you forward and prepare you to take full advantage of cloud and big data opportunities:


1. Develop a roadmap. Start identifying what’s critical to keep in secure, on-premises environments and what functions you can move to external infrastructure-as-a-service (IaaS) clouds or consume as SaaS solutions.

2. Modernize your infrastructure. Even if you use SaaS heavily, you still need standards-based virtualized infrastructure to interface with external services and adjust to fast-changing demands. If you’ve already virtualized your servers, start looking at storage virtualization, unified networking, and software-defined networks.

3. Don’t let security concerns keep you out of the cloud.  There’s plenty you can do to keep data and resources secure in the cloud. Use your move into cloud computing to take a comprehensive, holistic approach to privacy and security. Adopt policy-driven, multi-layered security controls, and use hardware-enhanced security technologies to improve security and end-user experience.  As you talk to potential cloud service providers, make sure they are able to meet the requirements derived from your organization’s privacy and security policy.


Intel is committed to enabling healthcare and LS organizations to reap the full benefits of cloud and big data analytics. We’re designing the compute, networking, storage and software capabilities to deliver high performance solutions for large-scale cloud and analytics workloads at scale. We’re collaborating with the Open Data Center Alliance (ODCA), Cloud Security Alliance (CSA), and other industry organizations to create flexible, secure frameworks for cloud computing and big data analytics. And, we’re expanding our software portfolio with solutions such as the Intel® Distribution for Apache Hadoop*, which enables standards-based distributed analytics with robust security and management capabilities.


I think some of the most exciting use cases for big data analytics and cloud computing are coming from healthcare/LS. How about you? What are you doing and seeing? How can Intel help you reach your cloud and analytics objectives?


• Download The New CIO Agenda brochure.  

• Download the Big Data in the Cloud: Converging Technologies solution brief.

• Visit this web site to see what healthcare and life science users are doing with big data analytics and Intel® technologies.

• Follow me @CGoughPDX  on Twitter.

If you were at HIMSS this year, you saw how mobility is dominating the current health IT landscape. Today’s healthcare industry demands the latest technology and solutions from companies that are in touch with complex IT challenges. That’s why Toshiba, Intel and Microsoft have joined forces to provide next-generation mobile devices, applications and solutions that improve quality of care while reducing costs and meeting all compliance and security requirements.


The best way to understand the advancements in mobile devices is to see them for yourself. If you live or work near Dallas, Chicago, Los Angeles, or San Jose, you are invited to attend our special healthcare mobility events in June. These mobility roadshows are great opportunities to join other healthcare IT professionals in your area and hear from a panel of experts as they present the latest innovations in applications and devices. You’ll also have an opportunity to ask questions, demo new products and even win an Ultrabook.


What will you learn? The healthcare panel will give you insight on:


• The latest breakthroughs in mobile healthcare technology

• Deciding which clinical workflows are most relevant for a secure mobile solution

• How to provide a range of hardware solutions that clinicians will love

• How the right management infrastructure can support both existing and new devices as you roll them out


Find out more about the events, which start June 4 in Dallas, and register here. The event will move to Chicago on June 5, Los Angeles on June 11, and San Jose on June 12.


What questions do you have?

Filter Blog

By date:
By tag:
Get Ahead of Innovation
Continue to stay connected to the technologies, trends, and ideas that are shaping the future of the workplace with the Intel IT Center