Innovation foundation: Smart data governance is a team sport

Five roles to develop and four rules to follow for effective and secure data governance in the age of AI, analytics, pop health and precision medicine.
By Mike Miliard
08:00 AM
Share
technician in server room

Data governance is one of the foundational must-dos for any health system looking to innovate its strategies to drive operational efficiencies, boost quality improvement, optimize population health management or drive precision medicine.

All of today’s overarching care delivery trends – and many emerging technologies of tomorrow – are going to require smart data governance, or fail without it.

So how to do it? How does a hospital build a culture of information governance, ensuring that staff of all stripes know their proper roles, and that data and technology infrastructure are effectively deployed to fuel various types of innovation?

Answering those questions starts with understanding the key roles and rules for success, the relationship between data governance and information security and how to forge cross-departmental partnerships that address both sides of the coin.

Good governance requires five key roles

Good analytics are necessary to achieving clinical, financial and operational gains. And good governance is essential to good analytics.

"As we move to value-based care, the use of data becomes paramount," said David Kho, chief medical information officer and chief digital officer at Miami-based Chenmed Group, one of the nation's largest risk-bearing providers of senior care.

Moreover, as artificial intelligence continues to evolve in healthcare, effective results depend on having quality data for AI algorithms.

"Eighty percent of machine learning is acquiring and cleansing data," said Tyler Downs, chief technology officer at MedeAnalytics. "We tell our customers, that's where it starts. But we're also having to educate them about data governance.”

Data governance is a team effort, with five distinct roles key to making it all work. Among the most important is that of the data steward.

AHIMA described the emerging data steward as a subject matter expert responsible for a specific system or data set who is trained to lead data quality and remediation work, a role that is often distinct from technical master data management work.

Richard Staynings, chief security & trust officer at Clearwater Compliance and a member of the HIMSS Privacy and Cybersecurity committee, said data stewards are "ultimately responsible for the security of the data."

Moreover, they're tasked with having "adequate processes and procedures in place to ensure the integrity of that data, including who has access to it," said Staynings, who will be speaking at the upcoming HIMSS Healthcare Security Forum in Boston, Oct. 15-16.

"We have to have a shared meaning when we talk about a single source of truth."

David Kho, Chenmed Group

Other important jobs to do

But as ChenMed's David Kho explained, data stewards are just one of the five crucial stakeholders who all play a role in good governance.

In addition to data stewards, those are:

  • Data owners or sponsors (execs or department leaders or execs who are accountable for specific datasets – this is in contrast to stewards, who maintain ongoing quality of that data)
  • Data custodians (similar in some ways to a steward but often focused on enforcing business rules about data access, custody or exchange);
  • Data producers (a wide array of health system staff, on both the clinical and business sides, whose activities generate data), and
  • Data users (those in the enterprise who are tasked with doing analytics and deriving useful from various data sets, who are ideally able to access and use it all in optimal ways).

It's critical that people in each role know their responsibilities, said Kho, but also the limits of those responsibilities.

You can read more from Kho's presentation at the June 2018 HIMSS Big Data and Healthcare Analytics Forum, "Data Governance 101," here. He'll also be speaking at the next Big Data forum in Boston, October 22-23.

"Clarifying roles allows people to say, 'You have authority, but we're looking to you for a very specific role and function within this concept of data governance,'" he said. "We're not used to thinking in those terms."

Just as important, if not more so, is that, once those roles are defined, each person must be able to speak the same language when it comes to the pillars of data governance, such as data quality and data lineage, he said.

"We have to have a shared meaning when we talk about data quality," said Kho. "We have to have a shared meaning when we talk about a single source of truth."

Since effective analytics programs usually depend on the comingling of both clinical and administrative data, it's critical that there be a shared understanding about how each fits into the bigger picture. When a health system is engaged in long-term, longitudinal population health management, for instance, it's dependent on all kinds different data.

"You're using administrative data as a way to confirm two key types of quality measures – both process and outcomes measures," Kho explained.

"Did this person receive a screening test, or a mammogram? Did this patient receive a hemoglobin A1c test because they are a known diabetic? Ensuring that standards of care are being practiced and holding providers responsible to these health maintenance-type tasks," he said.

"As you're becoming increasingly reliant on data, you need to boost your data integrity controls, and your data availability controls."

Richard Staynings, Clearwater Compliance and member of the HIMSS Privacy and Cybersecurity committee

Four rules to follow for effective data governance

Kho emphasized the value of four simple goalposts along the road to better data governance – key lessons learned from Lean methodology, he said.

After the aforementioned first steps – once everyone knows the basics of vocabulary and is clear on their roles – there are four guidelines:

  1. Only work on what is needed
  2. Set a deadline
  3. Get the right people involved
  4. Check back frequently with your stakeholders.

Keeping a narrow focus and concentrating small batch sizes is a smart way to start.

To illustrate this, Kho pointed out that the reason factory conveyor belts work efficiently isn't because they're fast – it's because they're narrow.

Health systems are "amassing so much data," he said. Even for those who recognize its importance and realize the need to make more happen with it, there can tend to be a paralysis, often caused by exactly the issues noted above.

Getting large healthcare organizations to rethink the way they organize staff roles in relation to data governance is easier said than done. Effective change management processes are key. Kho recommended a three-pronged approach of "incentivizing, nudging and training" to help get hospital staff onboard, and suggests constant check-ins – 15-minute daily standups, biweekly demos – "to make sure you're on the right track."

"Eighty percent of machine learning is acquiring and cleansing data."

Tyler Downs, MedeAnalytics

Security must be baked into governance processes

A recent HIMSS Media survey found that eight out of 10 health IT decision-makers said that security concerns "frequently or occasionally derail or stall technology innovation at their organization."

Respondents' top concerns included patient privacy, lack of a robust security architecture and tight security budgets.

But security is non-negotiable. So the better health systems get at making secure data governance practices an ingrained part of their way of doing business each day, the better off they'll be.

"They need to go hand in hand," said Richard Staynings, of Clearwater Compliance, describing security and analytics. "As you're becoming increasingly reliant on data, you need to boost your data integrity controls, and your data availability controls."

And again, it's the people who matter. Tyler Downs of MedeAnalytics said it starts with "having some fundamental rules with your security team or your infosec team: What are the source systems you're going to touch? Out of those systems, what is considered PHI or not?"

The importance of robust processes and procedures around privacy and security should be obvious, of course.

"From a security perspective, I'm concerned with the integrity of the data," said Staynings. "We're reliant on valid data to treat patients, and if that data is inaccurate, or compromised or unavailable, then obviously I  have a concern from a patient safety perspective."

Electronic data has become indispensable to the treatment of patients. "If that big data is inaccurate, then the quality of patient care declines significantly," he said – especially nowadays, with "the creeping influence of artificial intelligence in healthcare, where human decision-making is more and more removed from the game."

One more governance to do: data de-sanitization controls

Another big issue Staynings pointed to is the reality that data is being extracted from various sources, such as EHRs, for use by analysts, researchers and data scientists who do not always appreciate the need for confidentiality as much as they should.

Hospitals working with them need to “put into place either de-sanitization controls, to remove HIPAA identifiers from datasets, or, alternatively, making sure that researchers are following HIPAA privacy and security rules and not endangering the confidentiality of that data," said Staynings.

Another mistake to avoid: Don’t just build a data science team without first determining how it will access information and the security implications of making that data usable.

"It just comes down to a question of making sure you've got controls in place where that data is going," he said. "If it's going into a research environment, then make sure, if that is not de-sanitized, that that data is protected  to the same level that EHR data would be in a hospital environment.

Big data will only get bigger

Beyond the five essential personnel roles, the four rules and the security and de-sanitization controls, making governance work depends on healthy partnerships and collaborations between the data wonks on the analytics side and the infosec pros.

Once the human half of the equation is squared away, Staynings said the technology – and he expects more and more "robust security controls built into the technologies that are coming down the road" – will be that much easier.

That means, as big data gets bigger and bigger, hospitals should have the knowledge,  readiness and governance to keep it safe and secure – no matter how big it continues to grow.

"If you've got the process, the procedures, the technology, the tools in place then the volume of the data shouldn't really matter," said Staynings.

Focus on Innovation

In September, we take a deep dive into the cutting-edge development and disruption of healthcare innovation.

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com