|
Data Migration: Is Your PACS Running Naked? |
|
By Jim Maughan & Fred Behlen
|
 Many think of PACS data migration as something that only needs to be
addressed when the decision has been made to convert from one PACS
vendor to another. Yet, recent HIPAA Security requirements are an
immediate regulatory driver for data migration projects and new storage
management strategies.
April 20th was the deadline for compliance with the HIPAA Security
Rule, although most healthcare organizations were not ready to meet the
deadline to fully comply, according to survey results from the American
Health Information Management Association (AHIMA) and Healthcare
Information and Management Systems Society (HIMSS). (See chart "HIPAA
Security: Missing the Deadline.")
Specifically, referencing the HIPAA documents (45 CFR part
164.308(a)(7)(ii)), there is a contingency plan obligation placed on
the covered entities in Section (A) to establish and implement
procedures to create and maintain retrievable exact copies of
electronic protected health information. Section (B) of the rule calls
for a disaster recovery plan, and Section (C) calls for an emergency
mode operation.
To be in compliance with the security requirements, current PACS users
have the obligation to not only have the policies and procedures in
place to administer the security requirements, but also to take the
appropriate steps to provide for disaster recovery and business
continuity.
The penalties for lack of compliance are detailed in section SEC. 1176. (a) GENERAL PENALTY: "(1) IN GENERAL. - Except as provided in subsection (b), the
Secretary shall impose on any person who violates a provision of this
part a penalty of not more than $100 for each such violation, except
that the total amount imposed on the person for all violations of an
identical requirement or prohibition during a calendar year may not
exceed $25,000."
The recently conducted U.S. Healthcare Industry HIPAA Compliance Survey
by HIMSS reports that only 9 percent of 400+ bed facilities reported
being compliant and 18 percent of institutions with fewer than 400 beds
said they were compliant with the security regulations. It would appear
that America's hospitals are still unprepared.
For those hospitals that have been using a PACS as the primary means
for diagnostic reading and have been storing images on some sort of
media (MOD, DLT, AIT), this means that if a second copy of the patient
image data is not available and stored in a way as to provide data
recovery in the event of a disaster to the main system, then the
facility is not in compliance with the HIPAA Security requirements.
How can this be, one might ask? "We have religiously been backing up
our data every night," many facilities are answering. The important
question is exactly what data have been backed up? In all likelihood
the database which contains the patient demographic information has
been backed up, but rarely have the image files been backed up. The
image files have been stored on various forms of digital media and
either placed on the shelf or have been stored in some type of robotic
media reading device. It is rare that second copies of the original
image files have been made.
What's a facility to do?
So what are some of the options that are available to current PACS
users that will speed their compliance with the disaster recovery and
business continuity requirements of the HIPAA Security Rule? There are
four general approaches:
- Make backup copies on your existing system. Your existing system
may have the capability to create disaster recovery copies of the disks
or tapes containing image data. This may require reconfiguration or
expansion of your system, generally involving additional products
services from your PACS vendor. For example, it may require an
additional disk or tape drive in the robotic library to accomplish the
copy operation without negatively impacting the system's clinical
operations. Such a project may take a number of months to complete. It
addresses only disaster recovery requirements and not business
continuity needs, as a destroyed PACS archive would have to be replaced
before the backup tapes can be loaded into it. Check with your PACS
vendor to learn if this option is available to you.
- Replace your PACS and migrate data to the new system. This
admittedly costly option may be appropriate if your system is nearing
replacement age. A new system should enable you to meet the
requirements of the Security Rule, but remember that HIPAA compliance
is your responsibility - not the vendor's - so don't buy a system that
won't help you comply! Data must then be migrated from the old PACS to
the new system, a process that can take from less than a month to more
than a year, as discussed below.
- Copy data to a networked archive Application Service
Provider. Several firms provide services that transfer image data
to secure remote data centers, delivering images on-line in the case of
a breakdown of local systems. There are concerns about the business
continuity aspects of such services in disaster situations, as
communications are the first thing to fail in disasters. However, some
of these services also can offer physical delivery of a loaded storage
system to the recovering disaster site.
- Copy data to a separate repository. A fourth option is to copy
your PACS data to a secondary repository. This could be an enterprise
image repository, or a low cost second archive optimized for backup
purposes. The cost of such secondary storage could further be
reduced by using lossy compression (at modest ratios), which is
arguably adequate for these backup and recovery purposes.
Migrating the data
The last three options discussed above
require a data migration project to copy your present image data to the
new storage system. The approaches to data migration can be classified
as either "conventional" or "rapid" migration.
Conventional Migration pulls data from the DICOM query/retrieve
interface of the legacy PACS archive. This method has the benefit of a
standard connection to the source system, but suffers from the limited
speed available from the older system. Since conventional migration may
take a year or more to complete, the migration appliance is usually
optimized to minimize inconvenience to clinical operations during the
lengthy migration period. "Smart" algorithms, using appointment
schedules and registration messages from the target PACS, may enable
proactive migration of patient folders, thereby reducing the workflow
disruptions of slow "stat" queries.
Rapid Migration bypasses the processors and networks of the old PACS,
reading image data directly from storage media of the legacy
system. Rapid migration can achieve rates up to 1 Terabyte (TB)
per day. This method requires engineering specific to each type of
source system, and requires specialized migration hardware to be
brought in for the project. The additional cost of this approach
is offset by efficiencies of dramatically shorter project engagements.
Conclusion
If your PACS is running without disaster
recovery backup, today is the day to start forming a plan to begin
acting on nearly immediately. Delay will not only increase the
likelihood of data loss, but also increase the likelihood and severity
of penalties under HIPAA enforcement procedures. The best approach will
depend on your circumstances, but the time to act is now.
Jim Maughan and Fred Behlen are the co-founders of Migratek (www.Migratek.net) which provides PACS data migration services. Maughan can be reached at jfmaughan@migratek.net, and Behlen can be reached at fbehlen@migratek.net.
|
