Caring for Personal Data
Print Issue: March 2019
Over the 15 years that Epiphany Healthcare has helped doctors view and manage medical test results, data transfer processes and privacy laws have evolved—and the company is evolving with them.
Epiphany’s Cardio Server supports more than 950 hospitals around the world by aggregating and managing electrocardiograms and other cardiopulmonary test results in a browser-based application that can be accessed by healthcare teams anywhere. It allows doctors to use diagnostic tools to interpret and sign off on the tests, which are then sent off to a patient’s electronic medical record.
“Time is tissue in the world of cardiac care; it’s important that we get the study information to the doctor as quickly as possible where they can read and provide the diagnosis and treatment for that patient,” says Joe Noto, vice president of strategic alliances, partnerships, and marketing at Epiphany Healthcare.
There are dozens of testing device manufacturers in the cardiopulmonary field, and each has its own way of exporting test data. Because of this, Epiphany must be able to gather all types of personal health information (PHI) in a secure and efficient way. To migrate the data, vendors would have to zip and password protect the file to send it via email, and, if the file were too large, Epiphany would send the vendor a secure hard drive to complete the exchange—a process that involved its own set of security challenges.
“That whole process was really consuming time and money,” says Chad McQuarrie, system administrator at Epiphany. “With [regulatory] restrictions, we had to be aware of exactly where the drive was, who sent it out, and who had access to it. It was a very long procedure.”
And if vendors needed support with the transfer of the data, McQuarrie and other back-end employees had to take extra precautions to make sure they never opened files with PHI while troubleshooting. The support team also had to direct customers to take extensive measures to keep sensitive data secure.
“For our support team to go through that, [the customer would] have to email us a visual of what’s going on,” McQuarrie notes. “We’d explain that they still need to zip that part up and password protect it before they could send it to us.”
To simplify the secure transmission of PHI to Epiphany, McQuarrie began the search for an updated solution that would make the transfer of sensitive data easier and more secure for both Epiphany and its customers. McQuarrie says he considered about 20 options, looking for a solution that worked with the organization’s system and would replace its FTP server.
He found the answer in Egress Software, which met all of Epiphany’s requirements, especially when it came to the back end—most similar solutions required the use of a Microsoft Exchange server, but Epiphany uses Gmail.
“One of the key factors we needed was something that didn’t change our daily procedures, that could be incorporated into our email, so that I didn’t have to retrain the whole company on how to handle PHI,” McQuarrie explains. “Egress was the only one I found that incorporated into the email system that we already have.”
With guidance from Egress’s experts, McQuarrie was able to seamlessly integrate encryption capabilities into the organization’s Gmail interface to protect the transfer of PHI over email.
“I didn’t have to stop the flow of anything to kick this off,” McQuarrie notes. “I could do all of this in the background and test it out, make sure it works, and then let everybody know how to do it through training. It’s pretty self-explanatory—a few settings in Google, a few tests here and there, and that’s it.”
Another benefit of the Egress system is one McQuarrie hopes will make the use of the external hard drives obsolete—a secure Web form where vendors can upload large files straight to Epiphany, where it’s now stored in the cloud.
“Customers could go to a Web page, literally upload their data, which is encrypted, and we get the email to pull it down and decrypt it,” McQuarrie explains. “In the past, if your email can’t handle the files, we’re going to have to send you a drive. Now, if you don’t want to wait for the drive, we can send you to this website and you can upload there. It’s something new we can offer.”
Epiphany also allows customers to upload data via a computer application. McQuarrie notes that they will still use the external hard drives, but only if a customer’s own firewall won’t allow them to send the data via one of the three methods. And now that the files are cloud-based, Epiphany does not need to store the data.
“Because the data is in a cloud atmosphere, if something were to happen to our data center, you don’t have to redo all your data that you sent to us,” McQuarrie says. “Before, we were holding the data and after six months deleting it. We don’t have to do that now.”
Egress gave McQuarrie the tools to make the transfer of PHI all but foolproof. He notes that the Web page allows vendors to choose the recipient of the data from a dropdown menu to avoid any mistakes.
And if a problem arises during the transfer, Epiphany’s back-end employees now have an easier way to identify the issue—Egress creates a detailed report of every transfer, so McQuarrie can see when the data was sent, who had access to it, and more. This bird’s eye view of the problematic transfer gives employees enough information to identify the problem without having to work around sensitive documents.
“I have an overview of everything, but I can’t see the data, even with an overview to the whole system,” McQuarrie explains. “If someone can’t get to their data, I can redirect it. If they want to cancel it, I can go in, cancel, and make a report about where it went and who accessed it. Having that capability was immensely positive for any of the audits that we go through.”
Because Epiphany manages PHI, it is audited by many organizations. McQuarrie says one of the biggest benefits of using Egress for the Cardio Server is the seamless auditing process thanks to the in-depth reports.
“It’s on us to prove that sensitive data was not touched or seen,” he explains. “There are reports on when it was accessed, the IP address, the exact time and day of when they opened it. Having that in a report to drop was huge—I can tell you nobody has touched it, and the customers could know exactly how things were done.”
For more information: Mark Bower, [email protected], 1-800-732-0746