EEG in a Connected World

Transcription

1 EEG in a Connected World Mary Anne Griffin, R. EEG/EP T., Lifelines Neurodiagnostic Systems, Inc. Garðar Þorvarðsson, MSc Mathematics, Kvikna Medical ehf Summary: Over the past several years, the use of Cloud-based technology has expanded into many aspects of business, as well as in the private sector. The global healthcare industry has also begun adopting Cloud technology, accelerating the way information is used and shared, increasing the quality of services offered to patients, decreasing healthcare costs, and boosting efficiencies. This paper will discuss considerations for Cloud-based solutions impacting neurodiagnostic testing. Introduction Since the first electroencephalograph (EEG) was documented in 1929 by Hans Berger until the early 1990s, recording EEG remained fairly constant. Each analog, pen-and-ink EEG instrument stood alone, with every patient s individual recording comprising of hundreds of pages of brainwaves. Everything was done manually, and frequently, the responsibility for patient set-up and recording, as well as documentation and archival storage of the studies was squarely placed on the EEG technologist, most often in a hospital EEG department. A major evolution in the world of neurodiagnostics took place about 25 years ago when digital EEG was introduced. This technology not only silenced the pens and saved the trees, but it offered a digital connection between an EEG exam room and a physician s reading room, and all data securely remained within the boundaries of the EEG lab. In the late 90s, the advent of digital, video-synced EEG for epilepsy monitoring was introduced. This allowed clinicians to more precisely monitor their patients EEG data and physical events simultaneously. This step in technology created massive amounts of EEG and video data sets which were streamed onto a central server. This allowed access from any computer on the network, but it required incredibly large server solutions, with equally large costs and maintenance demands. Neurodiagnostics is now facing its next phase in progression: Cloud-based technology. No longer is it necessary for the EEG to be recorded and interpreted within the EEG lab. With these restraints lifted, this new technology offers many benefits, but there are challenges and new considerations, as well. One of the biggest areas of concern is in keeping video EEG (veeg) data safe outside the confines of the neurodiagnostic lab. The security and regulations imposed by laws such as HIPAA can seem daunting. What does one need to do to be in compliance with these regulations? How does the EEG collection and reading software keep the data safe? When logging into the Cloud from unregulated sites, how can data security be assured? What about cost? Is it really as expensive to have data stored on the Cloud as it is to host it on a private server? How will growth be managed? What kind of benefits does Cloud-based technology offer? Are the benefits worth making the switch from standard, digital recordings? What other considerations need to be taken into account when evaluating Cloud-based systems? And how does Cloud-based technology vary from the third-party, remote desktop services and programs that are currently available? Digital EEG Basics In a standard neurophysiology lab using digital EEG technology, an EEG is recorded, with or without video, in either an outpatient office, a hospital department, or at the patient s bedside. For severe epilepsy cases, the patient may be admitted to an Epilepsy Monitoring Unit (EMU), where he or she is confined to the room or space designated for recording and monitoring, and extensive testing is performed. After a study is complete, the EEG may then be transferred from the collection device s hard drive to a disk or external drive and hand-delivered from testing to reading room. Optionally, the data may be transferred over a local area network (LAN), but in either scenario for data transfer, unless the disk or external

2 hard drive are physically removed from the lab, the data remains secure in a very controlled system of being recorded, uploaded, interpreted, and stored for long-term archival. This workflow is typical for neurodiagnostic studies, and although it is mostly secure, there are still risks and limitations to digital systems. Human error is always a risk, with external hard drives potentially being lost or damaged. Regular backup is mandatory to avoid an attack by viruses or malware/ransomware. Because data servers are on the same LAN as personal workstations, user error could allow ransomware into the system, which could move throughout the LAN, affecting the servers. Data needs to be backed up offsite, as well, to protect in the event of a catastrophic event at the hospital. The Cloud: Where It Is and How It Works So, what and where is the Cloud? Cloud computing is defined as the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than on a local server or personal computer. This simply means that data and software are stored on offsite, remote servers, known as server-farm infrastructure, and accessed over the Internet. In traditional computing, the EEG recording and interpretation technology would be found on a local computer s hard drive with networked servers used for archiving and data back-up. With Cloud-based technology, the local data center, as well as off-site data back-up systems, can be eliminated. Cloud-Based EEG Overview With Cloud-based EEG technology, the software to perform the study is provided as a service by another company and is known as Software as a Service (SaaS). The patient is set up, and the veeg is recorded in the same manner as it would be on a digital EEG system. But instead of the data being recorded, accessed, and stored on a local system, the software to run the study and the data storage server are seamlessly accessed over the Internet. The server is located in a secure, and often unknown location somewhere on the Cloud. Once on the Cloud server, all data remains encrypted and is securely protected. With SaaS, the software licenses, updates, and security are provided, maintained, and completely managed by IT professionals who specialize in this type of service, relieving the EEG technologist and hospital IT department of this responsibility. The latest versions of software are rolled out to users, who then have the option to push the update. Services are available on-demand and are often provided on a pay-as-you-go subscription basis. This means that data is always available, wherever the user may be, as long as there is a good Internet connection. Most Cloud providers are extremely reliable in providing services, with many maintaining a 99.9% uptime. In order to access the recorded EEG and video data for pruning or review, a Client Application is installed onto a local computer, and it requests the pages of data from the server. The SaaS opens the files, and the Client only allows the data to be viewed. 2

3 Data is never downloaded onto a user s computer, therefore, the opportunity for electronic Protected Health Information (ephi) and patient data to be left on any computer, whether it is open, closed, on or off, is completely eliminated. Security: HIPAA and HITECH Acts HIPAA: A Brief Overview Perhaps the largest concern with Cloud-based EEG is security. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 provides data privacy and security provisions for safeguarding medical information. Title II of HIPAA establishes national standards for processing electronic healthcare transactions and requires healthcare organizations to implement secure, electronic access to health data and to remain in compliance with privacy regulations. What is the HITECH Act? The Health Information Technology for Economic and Clinical Health (HITECH) Act was created to expand the scope of privacy and security protections under HIPAA, in addition to allowing for more enforcement and increased penalties for noncompliance. For more information about these Acts, please see HIPAA Definitions at the end of this paper. Security in Neurodiagnostics So how do HIPAA and HITECH regulations affect EEG and patient data? Multiple levels of security need to be built into every step of the process, from patient information being collected, through the testing procedure, and finally in the EEG reading and reporting structure. Code of Federal Regulations (CFR) 21 Part 11 The FDA published regulation CFR 21 Part 11 to establish requirements for electronic records and electronic signatures to ensure there are controls in place equal to those for paper records. Part 11, as it is commonly called, defines the criteria for compliance which includes audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing the electronic data. Access Levels and Audit Trails The ability to control access levels for users is a serious consideration, as access to patient data by unauthorized users can be a breach of security and result in HIPAA fines. The tighter the access control, the more secure a system will be. Both HIPAA and CFR 21 Part 11 require regular review of information system activity. Procedures should be in place to review records, including audit logs, access reports, and security incident tracking reports. Audit trails must log all events in the lifecycle of the study. The HIPAA Security Rule requires that passwords be established for each, individual user within a system. This allows an audit trail to be generated and maintained every time the system is accessed and any data is created, modified, pruned, exported, or deleted. The audit trail should time-stamp and document login credentials, as well as provide a description of what was done during the time the user was logged in. Access controls will vary between recording systems. Systems may or may not allow access levels to be assigned on a per patient basis. Some systems can only grant a user full access to all patients and data; the user may have a specific access level assigned to them, i.e., prune only, but that access level applies to each and every patient in the database, whether the user should have access to a patient record or not. Other systems provide tighter user access and restrict the user to only those patients who have been assigned specifically to them. The user does not know a patient exists unless they ve been assigned access. Other access levels include: Read-Only Access: The patient information and recorded data can be seen and read only. Anonymized Access: The recorded data can be seen and read only, but the user cannot see any identifying patient information. Analysis Access: The user is only allowed to create and edit reports; these users may not access or change any patient data. Blinded Analysis Access: The user can see, change, and edit events while reviewing the EEG and creating reports, however, they cannot see any identifying patient information. This is required when reviewing studies for research. All access to ephi should be monitored, logged, and accessible in case of a security breach. If there is a breach, audit trails are critical to investigating what data was accessed and by whom. HIPAA requires that audit logs be kept for at least six years. 3

4 Data Encryption Using an algorithm, data encryption converts regular, readable text into encoded data. An encryption key is the only way for someone to translate the data back into its original version. The Advanced Encryption Standard, or AES, was established in 2001 as the specification for the encryption of electronic data; it has been adopted by the US government and is used globally. The strongest, industry-leading standard for data is AES 256-bit encryption. Encryption alleviates unauthorized access to information. In addition to offering HIPAA compliant solutions to authorized users, this feature mitigates risk on lost or stolen devices. The data must also be encrypted during both transfer and storage on the Cloud server. This is to eliminate the risk of data breach should the data center suffer a break in, either physical or over the Internet. Various levels of data encryption for EEG and video data include: Full-Disk Encryption: All data is encrypted on the collection computer s hard drive, including the operating system. It requires user authentication for access. This is critical on the EEG recording system, where the data is recorded, compressed, and 256-bit encrypted before being transferred from the collection computer to the Cloud. File-Level Encryption: File-level encryption is the mechanism that locks and secures the data, so no one else can get access to it, no matter where it is. This allows users to encrypt specific files and folders, such as ephi and EEG during recording, with a unique key. An EEG system should allow only a system administrator to have authorized access to the exam data on the server. Other users, such as technologists and physicians, can still be given access to view the exam files, but they cannot access the data. If this security is not in place, anyone could access a video EEG file of a patient being monitored, via Windows Media Player, for example, and post it to YouTube, creating a major HIPAA violation. In a hospital setting with a LAN, a typical, non-encrypted digital system would include recording systems, a server, and review machines, with the necessary review software housed on a local computer. This configuration would grant read/write raw database access to any person who is running the software, from the EEG tech to any IT employee. Using File Explorer, anyone with access could browse to a file where the data is stored and access all EEG data and video files. The files could be maliciously copied and/or deleted, and no one would be able to trace the perpetrator, because there is no auditing system to log what happens in Windows File Explorer. In a Cloud-based system, full-disk and file-level encryption provide security to keep data safe while stored locally, in addition to securing the data during transfer to and storage on the Cloud, eliminating the ability for data to be inappropriately accessed. And with a proper audit log, anyone who accesses the data is documented. Data Backup and Restoration HIPAA requires that data is protected using stateof-the-art methods. Physical security of the server location is important, as well as ensuring that the environmental conditions are optimal. This includes completely automatic back-up processes, continuous data protection, and frequent back-ups to geographically diverse locations. There should be 24-hour data monitoring, redundant power supplies in strict environmental controls, and verification that the data is being transferred correctly between the client and server. Patient data should never be stored without proper backup. Redundant disk drives, which create full, mirrored backups of the data, are part of the critical process for recovery from corruption or data loss. Geographic redundancy ensures the data is stored in more than one location, so in the event of a catastrophic system failure due to natural or other disasters, the data is still safe, secure, and accessible. Access should be available to data whenever and wherever it is needed, and an export function should be available to download the EEG data from the system onto whatever digital medium is preferred by the user, with all access tracked in the audit log. It is imperative that each hospital or user group has a Disaster Recovery Plan in place, should data restoration ever be necessary. This documented set of procedures and processes are critical for protecting and restoring an IT infrastructure in the event of a catastrophe. 4

5 Costs of Using the Cloud The cost of using a Cloud-based EEG solution cannot precisely be compared, dollar for dollar, to traditional methods of performing digital veeg studies. Costs should be evaluated from a comprehensive, overall view to include tangible items, such as hardware, software, and servers, as well as intangible elements such as maintenance, labor, and support. The tangible items necessary to properly equip a digital neurodiagnostic lab may appear, on the surface, to be less expensive than a Cloud-based solution. However, the true cost of doing business is realized when other, often overlooked expenses are considered. Human Resources and Ongoing Maintenance and Support Neurodiagnostic labs usually receive service and support through their Information Technology departments; larger labs may even have specialists solely dedicated to their department. This cost is calculated in the hospital budget. But for non-hospital solutions, managing data backup is an expense that can be much higher than the cost of simply purchasing a server that will be linked to the recording computer. If outages or technical problems arise, unconsidered hidden costs become visible very quickly. Losses in revenue, opportunities, and productivity add up when there is a disruption to the workflow that causes downtime. HIPAA requires that the server be maintained in a secure data room, which must be managed with tight access control. The data must be kept according to state requirements, often 10 years for adult data and much longer for children. If the hard drive is filled, the data must be managed and/or transferred off the drive for long-term archival, or another drive is required to accommodate this mandate. There must also be a backup plan, so the data cannot be lost if something would happen to the recording systems. With Cloud-based solutions, the IT services are provided, so a lab or service provider does not need to hire IT specialists to manage their data. The ser- 5

6 vices these professionals perform include installation and monitoring of the systems and servers. Repair and replacement costs of hard drive failure, for example, become the responsibility of the Cloud-based solution provider, not the EEG lab. They also manage ongoing maintenance, which is required for updates and upgrades, patches, migration of data, backups, and troubleshooting. Security software updates are part of this service, and the IT professionals managing the servers are constantly monitoring for malicious attacks. This is critical; lack of up-to-date security software is what allowed the 2017 ransomware attack on the British National Health Service. Flexible Scalability In order to plan for business expansion using traditional computing, an infrastructure may either be designed early to support future growth, or technology can be added when the growth occurs. At the start of a business, financial resources may already be stretched, and early investment in too much technology could also render the solution obsolete by the time the server space is actually needed. The computer infrastructure must be monitored, updated, and managed on a regular basis as business expands. If it isn t, hard drive space could be depleted in the middle of a study, causing loss of data. Adding infrastructure when needed is another option to accommodate business growth, and although this option seems more feasible than up-front planning, merging technologies can be very expensive and potentially disrupt productivity, as downtime is needed for the upgrade and transition. Cloud-based computing systems are much more flexible than traditional methods for data recording and storage. Server and infrastructure needs are monitored and completely managed behind the scenes and can expand seamlessly when more space is required. Software solutions are kept current and will not become obsolete with changes in technology. Cloud solutions can be provisioned for peak times, then deprovisioned when increased capacity is no longer needed. This allows a flexible structure that adjusts according to business demands; costs for use fluctuate and grow with changes in business. Robust Software Features When evaluating Cloud-based EEG systems, it is important to ensure that software features and workflow functions are robust and customizable. Patient Data Management Tasks, such as entering patients ephi within the EEG system, can be performed from a central location. The integrated scheduling computer connects to the server when the patient demographic data is entered, and at that time, the study can be assigned to a specific technologist. This information is stored in a file on the server and syncs to the acquisition systems when the tech connects to the server. He or she can then select a patient from a list assigned only to them and begin the EEG recording. The study can also be assigned to a specific reading physician, who will automatically be notified when the EEG is ready for interpretation. When the demographic data is automatically linked to the recorded EEG, the potential for technologist error is eliminated; no longer is it necessary to manually connect the patient s personal identification information, medical history, and medications from one location to the recorded EEG and/or video files which are stored in another. Customizable Options A customizable system allows users to set up individualized recording and/or review preferences. Some of the features that can be customized are: Screen Calibration: To accommodate variances in monitor sizes, both horizontal and vertical screen aspects must be calibrated to accurately display the EEG data. Event Palette: User events can be defined based on roles, with different event lists for recording techs, pruning techs, and reviewing physicians. Exam Reports: A user can create his or her own reports with automated data pulled from fields in the database. The hospital or business should be able to add their own logo to personalize the reports, and there can be different reports for different studies, such as routine, portable, ICU, or long-term monitoring. User Perspective: A user can set up a unique perspective, personalized to their own preference of montages, events, filters, etc. Each user can also define their own preferred colors for the screen and gridlines. 6

7 Data Transfer Process Transferring the data to the Cloud can be automated during acquisition, or manually done at the end of a study. Spike and seizure detection can be run during the upload of a manual transfer or after the exam has been uploaded to the Cloud. Use of Cloud vs. Third-Party Software There are multiple, third-party desktop services and software programs available that allow remote access to a server for EEG data review. In a hospital setting, EEGs are uploaded to a central server over a network; the reader then uses third-party software to log into this server to review the data. If the EEGs are being recorded remotely, however, there is an extra issue of getting the data to the central server. This requires a File Transfer Protocol (FTP) or similar solution for the distributed acquisition systems to be able to transfer the data to the server before it would be available for review. Although the third-party software allows access to review the data, these software programs are limited by the capabilities of the network upon which they reside. Most concerning is that, during review, the paging speed with remote software is only as good as the network allows. If the network speed is good, the pages will flow quickly. But if the paging speed is faster than the network speed, pages will be lost. There is no warning that pages are missed; they are simply not displayed. Seizures and abnormalities could be missed without the reader even knowing. With Cloud-based software, the paging speeds are controlled by the Client Application. Pages will not go any faster than the transfer speed between the server and the Client, which means that every page will be viewed. Use of third-party software is also limited by the number of purchased licenses. If a group of physicians shares a single license for reading EEGs, they would only be able to individually access the studies, one at a time. Two physicians could not be concurrently reviewing the data from different studies unless they purchase another license. A third-party solution for viewing EEG also utilizes significantly more CPU and memory resources than a Cloud-based session. In order to accommodate these demands, the third-party solution requires much faster and more expensive servers to support concurrent users. Cloud-based software allows the Client Application to be installed on any reading physician s computer, who can then access the recorded EEGs on the server from anywhere without having to purchase a license. There are no additional CPU or memory demands to review the data. Cloud-Based EEG Benefits When recording EEG with video, the data must be highly synchronized for interpretation. The reading physician needs to observe the patient s EEG and video, as well as patient-documented events and technologist s comments and observations. ACNS guidelines recommend the time between the video and EEG recording should be accurate to less than 0.5 seconds, allowing good, clinical correlation to be observed. Cloud-based EEG allows collaboration between dispersed groups of people. It provides hospitals in remote areas, who may not have a neurologist on staff, the opportunity to offer neurodiagnostic recording services to their patients. Expert interpretation of the EEG can be provided over the Cloud from wherever the EEG reading physician may be. Because all data remains on the Cloud, security is much stronger with a Cloud-based solution, and compliance with both HIPAA and HITECH Acts is less burdensome for the user to implement. Audit trails guarantee that no one can covertly be in the system, further protecting ephi. And all the while, IT professionals are constantly monitoring to protect the data from malicious, digital attacks on patient data. Scalability and costs can be managed efficiently, as Cloud solutions accommodate the ebb and flow of business. Conclusion EEG technology has advanced significantly over the past several years, and now, Cloud-based neurodiagnostic solutions remove restrictions that limit where data can be recorded and reviewed. Rather than having to check into a hospital for a long-term stay in an Epilepsy Monitoring Unit, patients can be monitored for seizures in the comfort of his or her own home, with technical staff observing them and available to alert help, should the need arise. And no longer is the interpreting physician required to report to the EEG lab at the end of the day to read the data; they can do so from their office or home computer. 7

8 As technological advances in healthcare have been made, EEG has also progressed and is extended into areas of care that are traditionally lacking neurodiagnostic monitoring capabilities. 24/7 EEG monitoring for patients in the ICU, both adult and pediatric, as well as in the neonatal ICU, are accessible because of Cloud-based technology. Remote, rural areas will also be able to offer these services to their patients. Once this technology has become fully adopted, patients who are suffering subclinical seizures or status epilepticus will be able to be treated more quickly and efficiently. With continued development in IT, strict standards, and focus on data security, neurodiagnostic technology is joining the ranks of other health care arenas, where use of the Cloud has become the standard of patient care. Clearly, this technology is the future of healthcare, and EEG has now become part of the global market, establishing the foundation for the next evolution of neurodiagnostic technology. Addendum HIPAA Definitions Privacy Rule Privacy of health information is a serious concern for the public. The HIPAA Privacy Rule prohibits a Covered Entity from using or disclosing an individual s Protected Health Information (PHI), unless otherwise permitted or required by the Rule. This includes PHI transmitted or maintained in any form, including electronically, paper, or oral communications and gives an individual control over his or her own personal health information, how it s controlled, and includes safeguarding of PHI from unauthorized disclosure. Security Rule The Security Rule defines the standards for keeping electronic Protected Health Information (ephi) safe from unauthorized disclosure, destruction, or loss. Security measures and technical safeguards are needed to ensure privacy of PHI records. Technical Safeguards Technical safeguards are required to protect ephi and control access to it. Technical security features, such as usernames and passwords, must allow only authorized persons to access ephi. There should be audit controls on hardware, software, and/or procedural mechanisms to record and examine access and other activity in IT systems that contain or use ephi, i.e. security log, and electronic measures must be implemented to ensure that ephi is not improperly altered or destroyed, i.e., firewalls. Technical transmission security, such as data encryption, guard against unauthorized access to ephi that is being transmitted over an electronic network. Covered Entities Covered Entities include health plans, such as insurance companies, employer group health plans, HMOs, and government programs that pay for healthcare, i.e., Medicare, Medicaid, military, and veteran health care programs; healthcare clearinghouses, who process health information they receive from another entity, such as an external billing service; and healthcare providers, including physicians, nurses, hospitals, and EEG service providers, among others. Business Associates Business Associates include all third-party vendors and business partners that create, handle, maintain, or transmit Protected Health Information on behalf of a Covered Entity. Examples specific to the medical field include answering services; billing, coding, and collections services; equipment vendors; lawyers and accountants; and IT consultants, etc. When using Cloud-based services, the Covered Entity and/or the Business Associate must enter into a Business Associates Agreement (BAA) with the Cloud Service Provider to ensure security of ephi by signing a BAA. This is a written assurance that a Business Associate will appropriately safeguard PHI that they use or have access to, and defines the obligations of a Business Associate. Authors Biographies Mary Anne Griffin has worked in neurodiagnostics since 1980 and is registered in EEG and Evoked Potentials. She is currently serving as the COO of Lifelines Neurodiagnostic Systems, Inc. Garðar Þorvarðsson has a masters degree in mathematics and is the Managing Director of Kvikna Medical ehf. He has worked in neurodiagnostics research and development since To find out how Lifelines can help you with your Cloud-based EEG needs, please contact us toll-free at