While we are surely poised to continue to make tremendous medical advancesânotably in personalized medicine, pharmacogenomics, and precision medicineâwe are also facing substantial challenges. The challenges facing healthcare today are many, and if we do not adequately address them we risk missing opportunities, pushing the cost of care up, and slowing the pace of biomedical innovation. In briefly surveying the state of healthcare, it is not my intention to offer a political diagnosis or solution. Rather, it is my intention to use our current technical knowledge to point the way to practical solutions. For example, a long-theorized solution to health records management would be a single cloud-based system where healthcare information sharing exists universally. But if I were to present this as the best technical solution, it would not be my intention to also advocate for a shift to a single-payer healthcare system. As much as possible this book and the discussions in this chapter aim to avoid politics.
After decades of technological lag, biomedicine has started to embrace new technologies with increasing rapidity. Next-generation sequencing, mobile technologies, wearable sensors, three-dimensional medical imaging, and advances in analytic software now make it possible to capture vast amounts of information. Yet we still struggle with the collection, management, security, and thoughtful interpretation of all this information. At the same time, healthcare is changing quickly as the field grapples with new technologies and is transformed by mergers and new partnerships. As a complex adaptive system, healthcare is more than the sum of its parts, and it is always difficult to predict the future. But we do know that as the postâAffordable Care Act healthcare landscape takes shape, the industry is shifting toward digitally enabled, consumer-focused care models. Given these trends, technology will be granted many opportunities to improve patient care.
At the outset of this book it is worth surveying some of the top issues in healthcare. For many of you, these will be quite familiar. Whether youâre an expert or not, you should feel free to skip ahead if you like. But it is my sincere hope that the background material will be of real value in bridging the gap between healthcare and biomedicine, on the one hand, and information technology (IT) and data management, on the other. Just as doctors in an age of increasing specialization can benefit from attending to the whole patient, it is very valuable for IT staff to have a more holistic and systemic understanding of healthcare.
TOP ISSUES IN HEALTHCARE
There are many, many sources that comment on the state of healthcare and biomedicine more broadly. Although I worked as a contractor for two of the countryâs largest Medicare/Medicaid contract holders, I am not a policy expert. But I have come to appreciate the importance of taking in the bigger picture. My admittedly incomplete survey of top healthcare issues is drawn from PwCâs Top Health Industry Issues of 2016 and PwCâs Top Health Industry Issues of 2015 [1]. These two brief reports offer compelling syntheses and analyses of current trends. In rereading these reports and reflecting on my own experiences in the field, I was struck by the number of top issues that are substantially or in part data or IT issues. Many of the top healthcare issues are centrally concerned with the storage, security, sharing, and analysis of data. In other words, IT and data management will be called on to make major contributions to advancing the dynamic healthcare field. Next I explore nine key issues impacting healthcare.
Mergers and Partnerships
As the health sector continues to change in response to the Affordable Care Act (2010), we are seeing many mergers and partnerships. âThe ACAâs emphasis on value and outcomes has sent ripples through the $3.2 trillion health sector, spreading and shifting risk in its wake. At the same time, capital is inexpensive, thanks to sustained low interest rates. Industryâs response? Go bigâ [2]. Mergers between large insurance providers are consolidating the insurance market. In 2015, the second largest U.S. insurer, Anthem, made a $48.4 billion offer for health and life insurance provider Cigna. Mergers have also been common in the pharmaceutical field, including Pfizerâs whopping $160 billion deal for specialty pharmaceutical star Allergan. While these deals are still awaiting regulatory approval, 2016 and 2017 will likely see more mergers and acquisitions. Many new partnerships are also being formed between pharmaceutical, life sciences, software, pharmacy, healthcare providers, and engineering companies, among others.
Mergers, acquisitions, and partnerships are driven by a number of larger market forces. Sometimes predicted lower IT or data costs drive consolidation. More often it is simply that IT and data will need to be able to respond nimbly to these changes. One of the largest challenges is postacquisition data management.
Many providers in the healthcare space have grown through organic means and have survived on shoestring budgets. When compliance moved to the forefront, many chief information officers were granted grace periods to meet compliance and conducted internal audits, patching together existing components to meet the objectives. This expenditure had the systemic impact of preventing the distribution of funds toward infrastructure improvements. The maintenance of many legacy systems resulted, leaving organizations with out-of-date, proprietary, inflexible systems that were simply not designed to interoperate on the larger scale. Now when that smaller provider, which potentially maintains a large collection of Medicare/Medicaid accounts, is acquired by a larger entity, the most significant challenge is the integration of those legacy systems without impacting operational activities. The challenge of migrating years of patient data records into a system from an out-of-date platform encumbered by complex and tangled spaghetti code and created by a resource long since departed is substantial. The need to do so while maintaining business continuity drives many a large entity to maintain the down-level system for years following the acquisition.
Cybersecurity and Data Security
As more and more patient data is stored and shared, security is an increasing concern. Patient data typically contains individualized information. If that data is stolen, the risks of identity theft are substantial, and there exists a thriving black market for stolen health records. Data security breaches are relatively common. âDuring the summer of 2014, more than 5 million patients had their personal data compromisedâ [1]. These breaches are often costly for companies. Medical devices themselves can also be hacked. For example, in 2015 the government warned that âan infusion pump . . . could be modified to deliver a fatal dose of medicationâ [2].
The needs for elastic scalability, rapid provisioning, resource orchestration, high availability, and storage efficiency have contributed to the explosion in cloud providers and niche service offerings. However, this explosion has also opened holes in known security elements that were once sealed. Cloud security challenges can range from the innocuous VM sprawl, where virtual machines are orphaned in an on/off state and fall outside of the domain security policy for things as basic as patching and maintenance [3]. On the other end of the spectrum there would be virtualization hacking, where an adversary gains access to a host (a larger component [server] that houses multiple guests). Hypervisors or virtual machine monitors (VMMs) have been hardened over the years; however, they are only as fortified as their caretakers determine. One key determinant is the organizational structure or culture. A company that owned 100 bare-metal servers in a medium-size data center may have had 10 employees assigned to manage the environment and provide operational support. With the advent of virtualization, workforce reductions have taken place and the distribution ratio of humans to servers has changed. Between 1991 and 2006, a ratio of 1:100 was typical for a large company that provided operational support like a web hosting company [4]. These numbers do not include application specialists and development staff. In todayâs cloud and highly virtualized environments you could see 1:1,000 ratio of humans (admins) to guest (virtual machines/computers). Efficient providers like Rackspace.com and GoDaddy.com may have 10 to 20 times that ratio [5, 6].
A key component that supports that exponential ratio is robust resource orchestration, which supplies the common ecosystem bits such as backups, network routing, addressing, domain name space management, and availability. Years ago these elements had unique humans as designees owning the responsibility.
Now we can understand how an environment could grow organically, leading to VM sprawl that opens up security gaps. What can be done with orphaned guests long since forgotten by their caretakers?
Adversaries compromise vulnerable virtual machines and enlist armies of botnets or zombie computers assigned to unified tasks [7]. The best-known tasks are distributed denial-of-service (DDoS) attacks aimed at larger public targets, like universities or public businesses. Such large-scale attacks were described in the 11th Annual Worldwide Infrastructure Security Report [8]. Let us also remember that small-scale orphans, like zombies, can still make efficient spam servers, darknet servers, hubs for the distribution of pirated software, and so on. These examples of nefarious computing are familiar to administrators and have just moved to the cloud, where watchful eyes lack the granularity once associated with higher human-to-machine ratios. The relative anonymity behind these expansive and sometimes liberal usage models provides spammers, malicious code authors, and hacktivists opportunities to conduct their activities with relative impunity [9]. Private/public cloud Platform as a Service (PaaS) installations are typically the low-hanging fruit for these breaches, although recent evidence shows hackers targeting some larger Infrastructure as a Service (IaaS) vendors [10]. Hacking of PaaS or IaaS can be referred to more accurately as virtualization hijacking rather than hacking, as the virtual machines are hijacked and enlisted to perform some nefarious task.
Securing Multitenant Hosts
Cloud computing has a key characteristic, the virtualization layer. However, all virtualized systems and cloud systems have underlying components building up the infrastructure (e.g., network, storage, central processing unit, graphics processing unit, etc.) that were not dedicated or optimized specifically for virtualization until recently. The delivery of strong isolation capability in a multitenant environment is typically the first identified gap in security audits. What does it matter if security exists at the guest level if the underlying host can be exploited with a known UNIX kernel exploit? Addressing this security vulnerability can be accomplished through means that are beyond the scope of this text. The suggested reference materials align the host with Defense Information Systems Agency Security Technical Implementation Guide (DISA-STIG) guidelines [11].