Navigating data governance challenges in healthcare

Reflecting on the first meeting

Back in her office, Hillary picked up the whiteboard marker again. Under the heading of ‘What are VAQ’s Key Data Challenges?’, she added three simple points to her whiteboard:

1. Data accessibility: Which data needs to be accessible to who?

Hillary thought those key challenges provided a reasonable foundation to start from – but how to balance the issues that they raised?

Data accessibility

Hillary kicked off the discussion by asking people to share their views around data accessibility, emphasising that the ideal state was for VAQ to be renown for providing access to the right VAQ data, to the right people, at the right time.

Karan shared ‘As a starting point there’s some core systems that we use within our pharmacy department that we still do not have access to the data…..That’s probably one of the big things…accessibility…Also getting it in a form that’s usable, in a timely manner so that we can start to do things with it’. There was a lot of head nodding around the table, particularly from the clinicians.

Hilary then asked, ‘Who ultimately controls access to our data?’ A collective sigh emanated from the group. Barry, a senior governance director, stated ‘That would be dependent on who you ask, some people say it’s your line manager, others say it’s the CEO. Of course, some systems also have data custodians, but I think I can say for all of us here it can be a little difficult to know who these people are, let alone get their approval….custodians in this place pretty much protect the data’.

A clinical pharmacist from a larger division of VAQ, Xingui, raised her hand to speak, ‘…I think part of the problem is…. finding the right person to go to for the right type of data that you want…It’s who you know or who to go to get access to that data…. It’s not always easy to find out who has what or who can get what that you need’.

Hilary thanked Barry and Xingui for sharing their experiences and asked. ‘What I’m hearing is that we have an abundance of data and systems, but it’s currently unclear, or perhaps inconsistently understood, as to how we gain access to the data we need to complete our work. Would that be a fair summary?’

The room was in general agreement, and Antonia added, ‘Another thing Hillary, you might stumble across some great data, but not all of us are like Karan and able to extract, analyse and then visualise insights from the data. Don’t get me started about the last data analytics training we had, that went completely over my head’.

Hillary paused waiting for further feedback. She made a mental note of how quickly the level of frustration had risen during this discussion. Clearly VAQ’s current ways of working were causing some unintentional consequences.

‘Let’s break for morning tea’, announced Hillary ‘and when we return, we can focus on the second key challenge, data sensitivity’.

Data sensitivity

After a short 15-minute break, the group returned, energised and ready to dive into the next topic. The discussion started around the nature of the healthcare sector compared to other sectors, and how it imposes requirements for the way data is managed. ‘We all acknowledge that health data is very sensitive and it’s very personal…..so we need to guard that with respect and integrity’, shared Brianna. She continued, saying, ‘There are also standards and frameworks in place, and compliance is a big topic when it comes to accessing, sharing, storing, and using the data. At VAQ, we are governed by privacy and health legislation that determines what we can do with our patient data’. A few examples were then shared including the Privacy Act, ISO standards governing data security, as well as best-practice strategies to mitigate cyber-security incidents such as the Australian Cyber-Security Centre’s Essential Eight. ‘As an organisation we’re working through a compliance program against those standards, every single year’, said Antonia.

A key point was then raised on the diversity of data managed by VAQ, each with distinct levels of sensitivity needing different governance mechanisms. Antonia pointed out that clinical data held in clinical information systems have a higher degree of sensitivity than operational data from an admin back-office process. This topic sparked a series of comments about how complex it is to manage these various levels of sensitivity, and how it steals resources and adds significant delays in projects and decision-making processes in the organisation. In Barry’s opinion, ‘Multiple layers of custodianship for systems add further complexity to data governance’. It was becoming clear to Hillary that this tension between ensuring each type of data has a corresponding level of protection according to its sensitivity, whilst managing the various levels of data protection mechanisms was complex!

The conversation then shifted to how data sensitivity promotes a system prone to risk aversion. Halle raised a key point sharing, ‘Because there are no real incentives to allow people to do anything good, but there’s great incentives to stop people from doing anything bad. Everything always errs on the side of, let’s stop anything possible from happening, as opposed to, here you go, let’s see how you can try to innovate or do something different’. Hillary raised her eyebrows. ‘Right’ she said. ‘So, a culture that leans too heavily on avoiding unnecessary risks to protect patients’ information, also discourages actions to try new data analysis approaches, or experiment with data integrations to generate innovative healthcare solutions’.

‘We must balance the scale between risk and benefit’, said Brianna. ‘Innovation is necessary to improve the quality of patient lives and the health services provided to them; the moral obligation towards that should be our guiding light’.

The group reached consensus that new uses of data have produced innovative solutions in the past. Halle explained the creation of a pharmacist prioritisation tool for a pharmacist that provides all the data needed for pharmacist to work at a clinical level on a daily basis. ‘The tool was developed by a tech savvy fellow pharmacist who decided to adopt a risk-taking approach to empower other pharmacists like him’, said Halle. Keiko shared a further example of an ongoing project in collaboration with a university to develop platforms that integrate medical record data and use advanced analytics tools. The aim was to unlock the next view of innovative digital healthcare solutions.

Brianna declared that, besides unlocking innovative solutions, managing risk aversion also holds the key to discovering knowledge that can save lives; knowledge such as this is of public interest and benefits the health service: ‘So there’s been instances when opening up data for research where you hear things like, “Well, it’s just a fishing expedition.” And then you go, “Well, first of all, they’re researchers, even if it’s a fishing expedition.” If they find something of use, who are we to argue? That is still knowledge generation, right?’, Brianna said. ‘As long as releasing that data does not end up creating situations that cause harm to patients, customers and clients in the healthcare system, it should be permitted’ Antonia argued. ‘Yeah, but how can we know this beforehand?’, Carlos added.

It was almost noon, and the group had made solid progress in identifying and unpacking pertinent issues. The tension between protecting sensitive data versus opening its use to develop innovative solutions was certainly a key challenge. The day was slipping away, but Hillary was determined to tackle the third and final issue after the lunch break.

Data democratisation and empowerment

Hillary stood in front of those attending the meeting and took a deep breath. Data accessibility and data sensitivity were big concerns, sure, but to unlock value would require a real culture shift at VAQ. VAQ needed to democratise data. That is, data custodians ought not consider each data silo as their own personal fiefdom – rather, their role should be to ensure access to data in an open and transparent manner so that users felt empowered to access, understand, and use that data.

‘So’, she began. ‘We know that accessing our data is difficult, and we know our data is potentially sensitive. But there must be data we where we can unlock its value and it’s not that sensitive. Can we identify the low-hanging fruit that would allow us to make real impact through data governance?’

Fidgeting in his seat, Karan shot up his hand. ‘I’m a drug use evaluation pharmacist. This is a simple one! We have what we call “fridge data.” When we’re storing medications, especially vaccines, we need to record the fridge temperatures twice a day – that’s “fridge data.” We have loads of these fridges across VAQ. Now, the fridges are monitored by a third-party provider who could record the temperatures automatically on their cloud and provide the data back to us for analysis. But with VAQ’s policies and firewalls, it’s fine for the data to go out, but not for it to come back in automatically. I had to create a big workaround and get them to email me Excel spreadsheets and then try to pull the data from there. There’ll be many third-party vendors that we just can’t interface with because of this policy’.

Karan continued, ‘But even my workaround – by the way, don’t tell IT about it, they’ll say I’m endangering the data! – isn’t timely. If I try to do something more interactive, instead of having a direct link to the data, these policies mean I need to create this massive Power Automate flow using only the tools that can run on our network, which is really complicated and takes a lot of time. That one policy just creates a lot more work, and that entire process takes half an hour for that automation to run in the background’.

Karan was exasperated. ‘My job is just a hard slog with all the barriers we’ve put in place to keep the data safe – it should be so easy but it’s just not!’

At this point, Barry chimed in. ‘You know, Karan’s right. There’s a huge amount of corporate data that just sits there but is critical for the running of VAQ’. Barry highlighted the relative simplicity of Karan’s example. ‘Yes, it’s simple, but as far as the value of just our low-level transaction data goes – well, to say it’s huge sounds understated, I think. And I don’t know if it’s just because it’s the space that I’m in and having meetings like this one, but data is the biggest asset that we have at VAQ. But the information and the data just sit there. People should feel comfortable asking questions about the data – but they don’t. And it’s not just about using the data, it’s about using the data well – that needs the right tools and skills to get it right’.

At this point, Antonia added, ‘I mean is its value in terms of the mitigation of risk, or value in terms of future economic benefits? Having complete and accurate populations of information, that support decision-making, that can support communication back to sets of patients or employees or suppliers is vitally important. The efficiency in being able to share across our systems is just going unrealised. For example, a patient in the Torres Strait that is medevaced to Brisbane would expect to have their records come with them would be disappointed to see it’s all held in a manila folder! All because we have different administrative territories and different systems. But the impact – well, sure, it’s more expensive than it should be but also someone’s health is at stake here’.

Xingui said, ‘I think that’s a very important point. I mean, I think it drives a lot of what we do now. I mean, there are always KPIs and financial and other bits and pieces. I think data is, I suppose it’s growing and that’s something that everybody now leans towards to look at justification for changing services or how we do things or where the value is’.

Brianna complained, ‘And importantly, I think when we talk about data as an asset, if we don’t know exactly where the data is coming from, what data are we collecting that we’re not actually using that we should be using? What data that we’re collecting that we’re not using, that we should just stop collecting? I don’t think we are very progressed at that level yet. I know it’s a long-term problem that can’t be fixed overnight, but it’s frustrating that we’re all senior leaders here, we can see the problem, but the organisational culture stops us from doing the best job we can’.

Hillary quickly wrote down as many notes about the meeting as she could, but the ongoing debate was cut short by a knock on the door. It was Hillary’s assistant, Gene, and Hillary could tell it was important. Gene beckoned her to the door and furtively whispered, ‘We’ve just received a phone call from Dr Mahony and she’s absolutely raging. She was about to operate on a patient transferred from Gladstone when she overheard the patient tell the anaesthesiologist that he’s haemophiliac. It’s not on our records down here in Brisbane, but Gladstone knows all about it – the CEO’s livid and wants to see you right away!’

Hillary looked back to the meeting and said, ‘Sorry, something’s come up – I’ll be back as soon as I can’.

Data accessibility

• Describe one of the tensions emerging from the working group’s discussion of data accessibility.

Data sensitivity

• What key tension emerged during the discussion of data sensitivity, and why it is such tension particularly prominent in the healthcare space?

Data democratisation and empowerment

• Identify and discuss two key tensions relating to data democratisation and empowerment from the above discussion.

Next steps

• What advice would you give Hillary as a way forward?