I'm sorry, are you saying securing patient data is simple? No offense, but you might be the only person on this planet to share this sentiment and there's a reason why.
So, it's simpler to secure sensitive information in a database, secure your hosting, maintain security updates to those hosts, undergo audits, keep up with changing regulations, keep up with the latest threat vulnerabilities, staff a full response team in case something happens, etc?
Not trying to be rude, but it's obviously not simple.
What's crazy about your answer is that we had a whole host of "Bitcoin for your data hacks" that were only made possibly by setups your describing.
>By far the hardest thing about that project was the complexity of the medical codes-
Yes, this is also complex. But a totally different problem in a totally different space.
To be fair of the things you've described, if you can swing it, you should be doing most of this regardless for a business setup. Specific to HIPAA would be the auditing and 'changing regulations' (and depending on client needs, you'll likely have other audits for business needs).
I'm going through a gap analysis for HIPAA now; would you mind sharing what impactful changing regulations you've seen in the past 5 years?
Not sure how to respond to this. Are you saying I should go out and hire 2-3 people to set up a ton of infrastructure and maintain it for me instead of relying on the professionals at Azure (who specialize in this) and it's done automatically at a fraction of the cost? We went through 5 years of "bitcoin for your data" fraud in exactly the situation your describing.
I don't need to hire anybody as of now. None.
> I'm going through a gap analysis for HIPAA now; would you mind sharing what impactful changing regulations you've seen in the past 5 years?
This is my point. I don't know and don't care. I don't have to worry about it at all. I don't have to worry about updating the handful of apps and servers that connect to all the different integrations we use because this field is siloed into a 1,000,000 little pieces. I don't have to worry about PHI getting leaked out of some server I forgot to update somewhere or misconfigured because I made a mistake while installing it or setting it up the first time. That stuff is all handled through Azure's existing cloud infrastructure. It's literally tailored to healthcare solutions. No single person (or 2 or 3 or even 4) full time people could come close to what they offer at the cost.
The most important things to consider (IIRC) were ensuring that the data was encrypted at rest and in flight, and that access to the data was audit logged and properly authorized.
We had an audit every so often. None of this was hard. Just tedious. It does help to have a HIPPA expert advise.
I don’t think public cloud vs self hosting makes a massive difference. Of all the problems such a project faces, that is not close to the top one.
Keeping machines patched and up to date is also not terribly hard.
Anyway, I’m not saying you’re totally wrong. Our project may have had more hidden risk than I realize. But it’s my opinion based on that experience.
Right now, I'm the CTO of a medium-sized healthcare company. We're building our own EMR to replace the one we're currently using ON TOP of building out some line-of-business integrations that can help modernize other parts of our office.
Part of that is grabbing data from an FTP EDT source from an HIE, storing that, processing it and then reporting. Our EMR has a bulk data download that we roll throuhg each night, processing data, building reports, etc. These integrations also tie into existing apps we use like Microsoft Teams, Microsoft Forms, Power BI, etc.
With the EMR we're building, I was able to pull on some help early on, set up all environments in Azure (dev, test, prod), all databases, background services (which we use A TON), blob storage, certificates, etc. I can count on one hand the number of times I've had to touch it since.
Prior to me coming on, all our data was stored on a server we hosted ourselves. It was a simple shared drive that constantly needed to be patched and updated. Went down ALL the time. And became a nightmare to manage on top of the 20 other pieces of technology we needed to use to get by. You know what I did? Copied the entire share to OneDrive and shut down the server and I was done. Never had to think about it again. And it's versioned. That's another benefit of cloud infrasturcture.
I'm a single dev at a healthcare company that has dozens of things going on all because I can rely on Azure's cloud infrastructure.
And that's not even counting the additional healthcare services they offer like FHIR servers, deidentifications services, pulling out snomed, med, and diagnoses codes from history and physicals, etc.
I couldn't come close to this if I was tasked to do it myself. And the problem is that healthcare changes constantly. So you need to be able to be nimble and fast. Being able to offload those sort of challenges has been super helpful in that regard.
It's not a silver bullet. My biggest issues NOW are people related. Links in emails are the hands down the biggest attack vector I have to worry about (for better or for worse).
As far as the coding complexity, while a totally different animal, is another huge challenge as you mentioned. And it's not just "how do I translate this to a billing code" it's being able to make sense of unstructured clinical documentation, being able to report on it and analyze it, and most importantly share it. An encounter with a patient could potentially have to collect upwards of 2000 data points that are changing based on the patient, the diagnoses, or what's happening the world (Covid for instance). It's an insanely challenging problem which it sounds like you have experience with.
