Lynn Vogel is vice president and chief information officer at The University of Texas M.D. Anderson Cancer Center in Houston, one of the nation's top cancer care facilities. The center, which sees more then 70,000 patients a year, includes an in-patient pavilion with 512 beds, two research buildings, an outpatient clinic, a faculty office building and a patient-family hotel. M.D. Anderson is also a top research center; about 11,000 patients participated in therapeutic clinical research last year.

M.D. Anderson last year started working with Avanade, a joint Microsoft-Accenture consulting partnership, to develop an electronic medical records system that would integrate patient records with clinical research data using a service-oriented architecture. SOA is a computing architecture that allows an enterprise to make its applications and computing resources, such as databases, available as "services" that can be called upon when necessary.

The U.S. government is pushing health-care organizations, insurers and its citizens to get behind its drive to digitize America's medical records. Electronic health records promise to improve patient care, lower costs and streamline the entire health-care system. But many Americans are concerned about the security of their electronic files and whether government regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), are strong enough to protect their privacy. Vogel spoke last month with Baseline's editor-in-chief, John McCormick, on electronic health records, patient privacy and computer security.

As you thought about sharing health information electronically throughout the hospital, how big of a concern was security and keeping records private?

Well, that's a huge concern for us.

We have a fairly substantial department of information security that watches over this very, very carefully. We take HIPAA requirements, etc., extremely seriously. And at every step of the way, the real key for us is that the patient owns the data. We are viewed as custodians of that data while that patient is with us.

And so [we built in] role-based access, which is if you're a physician, you can only see certain things; if you're a nurse, you can only see certain things; if you're an administrator in the Department of Cancer Medicine, you can only see certain things. The truth is that the more access there is, the more risk there is.

We're developing policies around what happens to data. If you're accessing data from your laptop in a hotel room in Denver, we want to be sure we know who you are, that you have appropriate access and that you are authorized to do the things that you're doing.

You have an internal information security team. What do they do?

All of our Internet access and security is done by our information security department. [They] manage all of our antivirus processes, they manage our spam control for e-mail. They manage all of the firewalls in the institution.

What about encryption?

Internally, we don't worry too much because the data moves fairly freely. We do have a very strict encryption policy when it leaves the institution. People who access data remotely do so through a VPN connection that we manage very carefully. So, we take all that stuff very seriously.

And what about backup? Obviously, most medical information needs to be backed up and, sometimes, kept for years. What's the backup policy, and how do you ensure the security and privacy of those records?

All of our mission-critical applications have a disaster recovery plan and a backup procedure. We actually have a second data center that we use for disaster recovery and backup purposes. All of our major clinical applications, in particular, are in high-availability environments as a way to keep them running seven days a week, 24 hours a day. We probably have now between 600 and 800 terabytes of data that we manage on behalf of the institution, which is significant for a health-care environment.

One of the things we're discovering is that we're going to have to change our approach to this. We obviously, like a lot of places, invested in tape backups and robots and that sort of thing. While you can back things up to tape, recovering from tape is a painfully slow process.

And, in fact, we have just created and hired in our data center a new full-time position, and that person's job is completely, totally focused on storage—backups, recovery, how we store data, what level of storage we have, what we archive, what we don't archive. As you can imagine, in a health-care institution like ours, everybody wants to keep all the data forever and have it accessed immediately.

Probably the best example of that is our imaging environment. We have more than 200 million images online available for our clinicians. That environment is completely replicated, so we actually have 400 million images online—a copy of each one—and we have a third backup we maintain off-site that is an extract of those images.

You said that you're going to review your backup procedures. Are you going to move away from tape?

I think we probably will. We haven't formally made that decision yet. But my guess is in the next three months, we will be doing more backups to disk and also more replication in terms of data at our main data center being replicated immediately—real time, online—at our second data center.

You said before that in a health-care institution like yours, you want to keep data forever. Do you have guidelines or requirements for when information should be destroyed?

No, we actually do not. We currently do not purge data. That's a hospital decision because of their interest in historical research.

For example, we have every piece of laboratory data going back to 1980, when the systems were first automated, flying real time to the clinical and research community provided they have authorizations.

How much do you think you spend on security per year? Can you give me a ballpark of what percentage of your budget is probably dedicated to information security?

My guess would be about 5% to 8%.

And your annual information-technology budget is?

The total annual I.T. budget is a little more than $90 million.

The issue of electronic health records seems, for many people, to come down to security and privacy. But as health-care institutions such as yours take steps to ensure security and privacy, do you think it will lessen the public's concerns about electronic medical records?

I think that's a very hard question to answer.

If you look at the experience in the financial services [industry] and you ask what percentage of the population is really comfortable banking online, it's probably not as high as five years ago. People are concerned. There have been huge—absolutely huge—breaches of data security, whether it was because the truck that had the backup tapes got lost or because somebody managed to hack into a system and download Social Security numbers. I think people are very nervous about that.

The problem with health-care information is if I have a risk factor for a disease that, in fact, might be more damaging to me down the road than compromising my Social Security number.

Right. You can lose your job, lose your insurance.

That's exactly right. And so, I think there's probably a strong reticence among the general population to have all this data shared. I think that's in part why things are going so slowly—that people are really concerned, and appropriately so.

And to many people HIPAA, for all its great intentions, really seems to be toothless. There have been tens of thousands of complaints so far, but very few actions.

A couple of well-publicized cases, probably not to the extent that you might have expected.

Do you think HIPAA needs to be strengthened in some way, shape or form, or enforced more vigorously?

It's like a lot of legislation—it [seems to have] teeth in it as written. The challenge always comes down to the execution. Who's going to pay to make sure all the rules are followed and that everything is done appropriately, etc. That turns out to be an expensive proposition.

You've thought a lot about security. Do you have one or two recommendations for others who may be struggling with data security issues?

Know the strengths and weaknesses of your own organization. We get into situations where we read about what other people are doing and how fabulous it is and if I could just do what they were doing, everything would be fine. Well, health care is a very localized business. You really do have to understand what you can do, what you can't do and what you're willing to tolerate locally. So, that's sort of the first step.

The second step is that nothing happens overnight because of how health care is structured. In many health-care situations, the physicians don't work for the hospitals, they work for themselves—they're small-business men. And so, the challenge is to make sure you move slowly enough that you get people on board, but with sufficient speed that people know you're making progress.

I think it was Peter Drucker who claimed that health care is arguably the most complex industry in our entire economy. And I think that's probably true. And so, as much as we get dinged for being behind the curve and not making investments, etc., when you understand the industry and how it's structured and its history, you begin to realize that there are probably understandable reasons why we are slower than the rest of the world. That may not necessarily be a good thing, but if you understand it, you'd [better understand] what the levers are to change it.