Medical mistakes kill over 250,000 people each year in the U.S.

It is the third leading cause of death overall, behind heart disease and cancer, according to a study by doctors at Johns Hopkins. ¹ These numbers are certainly low, since they do not include deaths at nursing homes, surgery centers, and in-home care settings.

The United States has the most expensive healthcare in the world: the most advanced equipment, the most advanced medicines, the best-trained doctors—yet in a recent study of healthcare quality the U.S. came in dead last out of 11 civilized nations. ² The U.K., Switzerland, and Sweden topped the list. Most Americans would be shocked to learn this.

The U.S. healthcare problem is not due to poor training, faulty equipment, inferior medicines, or lack of financial resources. No, the problem is likely primarily a failure to get the right information to the right people at the right time; that is, caregivers must have accurate, current clinical information to do their jobs properly.

This is an information governance (IG) issue that has life or death consequences. It can be fixed, but healthcare professionals must gain the necessary education and tools, collaborate with experts and each other, and gain executive management support for IG programs.

Across the pond, the issues facing the United Kingdom’s government-funded National Health Service (NHS) are somewhat different, where IG has been an area of focus to ensure data quality and protect patient data for more than fifteen years. Although IG was mentioned in journals and scholarly articles decades ago, the U.K. is perhaps the home of healthcare IG, and arguably the IG discipline. ³ Could this be the reason the U.K. leads the world in healthcare quality? Certainly, it must be a major contributing factor.

Since 2002, each U.K. healthcare organization has been tasked with completing the IG Toolkit, managed by NHS Digital for the U.K. Department of Health. Although the IG Toolkit has evolved over the years, its core has remained constant. However, in April 2018 it was replaced with a new tool, the Data Security and Protection Toolkit, based around 10 National Data Security Standards that have been formulated by the U.K.’s National Data Guardian. ⁴

At the same time the U.K. and the whole of the European Union is replacing its Data Protection legislation. In the U.K., the Data Protection Act 1998, itself based on a 1995 EU Data Protection Directive, is being replaced with the directly applicable (Brexit notwithstanding) EU General Data Protection Regulation (GDPR) and (at this writing) pending Domestic Data Protection Act 2018.

If U.K. healthcare IG professionals weren’t busy enough keeping up with those major regulatory changes, the Care Quality Commission (U.K. regulator) has recently been given increased powers to inspect around IG issues, as a result of the global WannaCry ransomware attack in May 2017. So there is a massive push for healthcare organizations to implement a government-sponsored Cyber Essentials information security certification scheme.

These challenges for IG practitioners must be met within the construct of real-world needs, that is, to share ePHI more safely as the healthcare system attempts to create system-wide Sustainability and Transformation Plans/Accountable Care Organisations. As has been the case globally, securely sharing ePHI has been problematic so IG facets like privacy, data governance, and cyber-security have a prominent focus. Previous attempts in the last two decades to create a national U.K. network to share health information failed. ⁵

According to a recent study, healthcare organizations in the U.S. are increasingly embarking on IG program implementations. ⁶ Although still in the early stages of adoption, organizations are beginning to understand that IG programs and a focus on clinical data quality is an important strategy for succeeding in today’s competitive and increasingly digital healthcare business environment.

IG strategies also address the onslaught of data due to the Big Data trend, that is, a vast increase in the volume, variety, and velocity of data that is being created. Healthcare professionals clearly realize there are opportunities in applying advanced analytics to the mountains of data they are accumulating.

IG programs also address related information management and governance challenges such as the patient privacy, information security, regulatory compliance, information lifecycle management (ILM), and governing newer technologies like the Internet of Things (IoT).

Legal, regulatory, and information security demands are often key drivers for establishing IG programs in all industries, but in healthcare, information quality and control is paramount to improved patient care and outcomes.

The American Recovery and Reinvestment Act required that “all public and private healthcare providers and other eligible professionals (EP)” implement electronic health record (EHR) systems, and show meaningful use by January 1, 2014. ⁷ Meaningful use has a somewhat subjective definition, as stated by HealthIT.gov and other organizations. It means that EHR systems improve care coordination, quality, safety, efficiency, and “engage patients fully” while keeping their health information safe and private. ⁸ Industry estimates often peg meaningful use as utilizing about 40% of overall EHR system capabilities.

EHR automation was mandated by the federal government, and healthcare organizations were threatened with a decrease in Medicaid and Medicare reimbursement levels if they did not implement by the deadline. The result of the mandate to automate, and the mad rush to install EHR systems and to prove meaningful use resulted in many sloppy, haphazard implementations. What is mostly missing are redesigned business processes with a built-in focus on not only data quality and governance but also information privacy and security. Further, the ability to share information between disparate EHR systems to provide continuity of care is generally lacking. ⁹

A focus on data quality, from the ground up, means that clinical assumptions and insights are more accurate, and subsequent downstream reports and analyses are more accurate and trusted. Unfortunately, the consequences in the healthcare environment are much more dire compared to other industries: Bad information means people could die.

The consequences of this general carelessness with information in the healthcare industry have resulted in colossal IG failures that almost daily expose major organizations to reputational and financial risk. For instance, in 2018, LifeBridge Health revealed that the electronic health records (EHR) of over 500,000 patients had been compromised, for over a year. ¹⁰ In 2017, major breaches included the Molina Healthcare breach, which may have compromised 4.8 million patient records, and at Mid-Michigan Physicians Imaging Center potentially over 100,000 patients’ ePHI was breached. The Center delayed reporting the breach while they investigated, and ended up paying a $475,000 fine levied by the Health and Human Services’ Office of Civil Rights (OCR). The 21st Century Oncology breach in 2015 exposed 2,213,597 patients’ records. ¹¹ 21st Century Oncology was fined $2.3 million by the OCR. And in 2015, major breaches included Premera BlueCross, Excellus BlueCross BlueShield, ¹² and Anthem Health, where rogue hackers penetrated the organization and stole possibly over 37.5 million records. ¹³ These organizations obviously did not know where all their protected health information (PHI), personally identifiable information (PII), and confidential electronic documents were located and took inadequate measures to secure that valuable information.

They—and most healthcare organizations—are not managing information as an asset, are not assessing its risks, and do not have a current inventory or accounting of their information assets, particularly sensitive or confidential information. That is, there is no data map showing where different types of information are stored, and most organizations would have difficulty finding all incidences of it so that confidential and sensitive information may be secured.

Most organizations are not paying attention: they leave ePHI and sensitive information (such as race, religion, and ethnicity) out there floating around on their servers unsecured, unencrypted. When it comes time to attend to the problem, most often they “kick the can down the road” and do nothing, since it costs time and money to address the issue. Executives perhaps have their eye on year-end bonuses, not lingering risks. But eventually risks can come home to roost, with horrendous consequences.

The impact only becomes clear after a major event like a data breach or ransomware attack. These types of IG failures can severely damage an organization’s reputation—especially healthcare institutions where people’s health and lives are at stake—and can result in injury, death, and financial loss. Also, thousands of patients can be dragged into a lifelong battle to control their personal information and ePHI.

Ransomware is a major problem. When rogue hackers use ransomware techniques, they take control of an organization’s information and will not release it until a ransom is paid.

When surveyed, nearly 70% of U.S. consumers said they would consider leaving their healthcare provider if it suffered a ransomware attack. ¹⁴

Consumers have high...