Impact Insights

Legacy System Conversions: Security and Sensitive Data

The implementation of a new EHR typically involves the conversion of data from one or more legacy systems that are being replaced. At the onset of such a project, there are many important decisions to be made, including the scope of what is being converted, data extraction/translation/loading (ETL), testing and validation, and timelines for all of these activities.

A by-product of this type of project is a variety of security concerns around the handling and management of thousands to millions of transactions containing sensitive patient data, both personal and clinical. Careful consideration must be given to these critical areas, which I delve more into below.

Data Locations

The extraction of patient data (personal and clinical) typically leads to large volumes of files that must be carefully managed. The process often involves creating files on the legacy system’s storage platform. Driven by the situation, once the data has been extracted it can be moved to network drives and/or integration engine platforms for translation and delivery. It is critical to create an environment for testing and validation with controlled access and security.

Short-term data storage: During the extraction and translation phase(s), there should be designated areas authorized for storage of Protected Health Information (PHI).

Long-term data storage: After data has been tested and validated, a critical component for a long-term strategy is to ensure proper management of the data in all locations.

For example:

  • Any data not included for long-term storage needs to be removed.
    • This could include wiping testing/validation environments, deleting files from short-term storage areas, and purging integration engine storage.
  • Archival of original files
    • When legacy systems are retired, organizations may choose to store data extracts for future use. A designated storage area with access control should be created specifically for this purpose.
  • Testing/validation materials
    • Hard or soft copy validation materials may be required for future audits, meaning they should all be retained in storage appropriate to the medium.

Access and authorization

Conversion/integration team members: These users must practice responsible data management during ETL, application build, testing, validation and troubleshooting. They will be exposed to large amounts of PHI and must understand the importance of PHI exposure, use and security.

EHR application team members: Are responsible for application build and initial testing. Often, these users may not be accustomed to managing large volumes of PHI and should be properly educated prior to exposure.

Clinical/administrative champions: Are users who focus on data validation. The validation of converted legacy data typically occurs prior to formal user training. Users will need special training and credentials to access the new system and validate patient charts. Temporary user accounts with auditing specific setup for each validator should be in place, similar to standard production system auditing users.

Sensitive Information

Legacy data being converted can contain highly sensitive information that is protected on a specific need-to-know basis, such as behavioral health or psychiatric evaluations.

This type of data must be configured in a manner to ensure it is restricted to users who would typically have access to it and to make sure it aligns with confidentiality policies and other user agreements in place for each end user.

Proper testing should be completed to verify such restrictions are in place that mirror legacy access (i.e., behavioral health and psychiatric visits should only be visible to providers within those departments).

The implementation of a new EHR is a busy and exciting time for an organization, as new systems and processes are installed. The primary focus during this time is relative to the data and workflows of the future, but the conversion of legacy data is a critical component that will give providers the ability to deliver the highest quality of patient care. Managing large-volume PHI during such a busy time requires an understanding of overarching regulations such as HIPAA or GDPR, as well as state and local mandates. Following proper security protocols to ensure the protection of this data is imperative for the data conversion team to protect the patients, as well as the valuable assets of the healthcare organization.