Your healthcare organization has just spent millions of dollars to migrate to a new Electronic Health Record (EHR) system (pick the application, Epic, Cerner, Allscripts, because this affects all of them), and, you’ve got all the legacy applications and data that’s left behind still incurring costs.
It’s the classic case of ridding oneself of an EHR post-launch migraine.
When the legacy application was first implemented, you probably hadn’t thought: “What will happen when this application is decommissioned?” A decommissioned application can actually become a liability to the organization as it holds what’s called, “left-behind data,” that can be opened, accessed, or even breached. In fact, a staggering 32.9 million patient records were breached between 2016-2017, according to the Protenus Breach Barometer.
So, what are you going to do with your left-behind data? You can’t merely toss the data or unplug the server it resides on and stuff it under a desk just in case. First, there are laws governing data retention and access requirements. Secondly, if you try restarting an outdated application in hopes of retrieving data, there’s a good possibility it won’t come back up, or no one will know how to access it, not to mention you will be opening a giant security hole by bringing an unpatched system back online.
You also need to consider the proliferation of new privacy laws (Vermont and Colorado already have privacy laws on their books), California’s Consumer Privacy Act of 2018 that takes effect on January 1, 2020, and all of the data that needs to be managed, an organization may be asked to report on data from 2019 in 2020. The California Consumer Privacy Act is predicted to change the privacy law landscape in the United States, not just in the Golden State. The law’s protection of California-based consumers will mean that many companies — even those outside the state or the U.S. — will be subject to the new rule.
Mining the data
Healthcare is playing catch up to other regulated industries in terms of how it handles its legacy data.
Monitoring and managing post-production application data can be costly. Maintaining staff who have knowledge of the application, security patching, user accessibility, regulatory compliance, and inquiry responses for audit requirements and legal defense, need to be budgeted for the data retention period.
HighPoint has tools and dashboards that organizations can leverage to archive and consolidate data that remains behind once an application, or several, are migrated to the new EHR. Suddenly, the management of multiple legacy systems, becomes the management of one. Individual application expertise, becomes general end user report knowledge. Security concerns are mitigated, and legal and compliance requirements are satisfied. By having a third-party, such as HighPoint, managing your archived data, the healthcare organization can reduce its costs associated with post-production applications.
And, what’s that in the closet?
A number of healthcare organizations have shared stories about decommissioned hardware being locked in a closet without the technology being properly deactivated.
One organization said they have “closets full of hardware,” that include iOS devices and laptop hard drives with data on them. No one knows for sure what to do with the hardware and respective data that’s stored, so there the data sits to be in “compliance” for data retention. These devices can have the data removed properly and archived at a secure location where the data would be immediately available to an eDiscovery team, as needed. Then the devices can be “put back into service,” repurposed, as it were, to meet the organization’s hardware needs.
Why data retention?
Data archiving is governed by government regulation and the organization’s data retention policies which consider the value of data, over time. These policies determine how the data should be accessed, and disposed of when it’s no longer needed.
Over-retention can also be an issue, meaning that too much data is held past its retention period, and that, too, can put the organization at risk as any data the is retained is available to be discovered during litigation.
Having a centralized repository for all legacy systems allows for an organization to truly manage to retention. No data will be purged if it hasn’t met its retention period or if it is subject to a legal hold. And no data will be retained unnecessarily.
How it works
HighPoint archives both structured and unstructured data. Structured data is data that has a database associated with it such as SQL or Oracle, while unstructured data has no database but lives on things like files shares, SharePoint, OneDrive; laptops, and it can include PST files, PDFs, audio files, video, and social media posts.
When HighPoint archives an organization’s data, a dashboard is built that shows where the archived data is stored, which applications are stored, and who has access to what archived data. It also provides information on how long the data must be stored, and provides transparency and a trail that leads to the data. It also denotes if there are any legal holds, that would prevent it from being deleted.
HighPoint holds the data in the cloud and integrates it with the client’s Active Directory for ease of access. We address Global Retention Policies, such as General Data Protection Regulation, as well as all local privacy laws.
So, the next time you need to migrate an application, you have assurance that no data will be left behind, leaving your organization vulnerable.