The medical industry is being transformed by Point of Care technology including new portable testing devices which accelerate diagnosis for time sensitive tests, and mobile healthcare technologies including medical clinical assistant tablets and smartphone apps which are providing caregivers instant, portable access to Electronic Medical Records(EMR), X-rays, drug interactions, and more. These advances are supporting better clinical decision making, leading to improved patient outcomes.
A key enabler in this movement has been SSD storage. With low power consumption, extremely quick data access, and inherent resistance to shock and vibration, SSDs are a particularly suitable storage technology for the portable devices central to this generational shift.
Though point of care devices are proving to bring huge benefits in the field, the clinical importance of medical information demands highly reliable storage. In addition, HIPAA privacy laws mean SSDs used in medical devices must have strong protections for patient information. For medical device data storage, this means flash needs to go beyond consumer grade SSD technology and be chosen with service life, operational reliability, and data security in mind.
Medical Grade Flash
Often asked to operate for a decade or more, medical equipment is relied on to stay in service for much longer periods of time than your average consumer smartphone, notebook or laptop. For flash storage this extended service life has big implications. As Flash degrades when it is written to over time, the same consumer grade flash chips that reliably store photos and apps in a smartphone for its 2 year life span can fail if asked to perform beyond these time frames, or in more write-intensive applications. For medical equipment holding vital clinical information, storage failures like these are unacceptable.
However not all flash is equally vulnerable to service failure over time. The most basic form of flash stores one bit per cell, and does so quite well. This Single Level Cell(SLC) flash boasts strong service life up to 10 times greater than consumer level flash but with its relatively low storage density commands a steep price tag. Flash chips in consumer devices on the other hand are divided into sub-cells to store two or three times as many bits of data. By increasing storage density, these Multi Level Cell(MLC) and Triple Level Cell(TLC) flash chips achieve better economics, but at the cost of reliability. As flash cells are subdivided, their service life decreases dramatically. MLC flash generally has 10 times less duty cycles than SLC flash, and TLC degrades this even further with lifetimes as short as 1,000 write cycles.
Extending Service Life
SLC flash is a highly reliable option for medical devices storing critical information, however at about 5 times the price of MLC, this premium grade flash isn’t suitable for every application. There’s no doubt that the most critical medical devices with frequently written to storage do deserve SLC, but for devices storing less critical data, with less intensive I/O usage or I/O usage that is mostly reads rather than writes, other options may make more sense.
With SLC boasting high reliability at high cost and MLC flash promising cheap flash but with poor service life, the market has demanded an intermediate solution and manufacturers have answered the call. Through clever wear-leveling technology that spreads flash wear across an entire flash drive instead of concentrating it on certain areas, modern flash drives can greatly extend the life of MLC flash. Wear leveling technologies such as Innodisk’s iSLC flash which emulates SLC using MLC flash can achieve tens of thousands of write cycles, approaching that of SLC flash cells. These new wear leveling technologies enable cost-effective MLC based flash cells to be used in medical devices without worry of drive failure over time.
Despite these advances, the choice of which flash to use can still be a tough one for system designers as the cost difference is significant yet the exact storage durability requirements are not immediately clear during development. Thankfully, today’s SSDs are able to report usage statistics using Self-Monitoring, Analysis and Reporting Technology(S.M.A.R.T.) Software utilities which access S.M.A.R.T. information such as Innodisk iSMART can get detailed disk usage data, allowing designers to get a practical sense of how many write cycles the flash drive must sustain over its service life and allow the right grade of flash to be chosen.
Power Loss Data Protection
For the most part, a properly chosen flash drive will perform extremely reliably during its operational life. The lack of moving parts mean there’s little to wear out or go wrong, and especially for mobile applications its shock and vibration resistance is invaluable. However flash does have an Achilles heel which must be protected. To enhance performance and prolong service life, all modern flash drives use a volatile cache — usually some amount of DRAM memory to store data temporarily. This buffer space helps the drive perform its day to day operations reliably but its volatile nature means it’s vulnerable to power outages. An SSD without power protection will lose temporary data if power suddenly goes out, which can mean significant data loss or corruption. For a device storing medical information this could have serious consequences.
For medical devices using SSD storage it’s therefore essential to include strong power protection. The best protection mechanisms use a combination of extra capacitors on the drive which form a backup power source in the case of power loss and a firmware emergency shut down algorithm. These power protection systems, such as Innodisk’s iCell detect a power loss situation and use backup capacitor power to store all temporary data into flash, thereby preventing data loss.
Besides the hardware+firmware approach to power protection, a newer type of SSD is showing which has inherent robustness against power loss is showing up on the market. These “DRAM-Less” SSDs, eliminate the source of the problem – the main DRAM buffer — instead using a smaller SRAM space to perform wear leveling and performance optimization. As SRAM is much quicker and also generally smaller capacity than the large DRAM buffers in most SSDs, these DRAM-Less SSDs keep less data “in flight” and are able to flush it quicker when power is lost, thereby achieving the utmost data integrity.
SSDs and HIPAA Compliance
Under federal law, healthcare plans, healthcare providers, as well as their business associates which deal with patient data in electronic form must have data privacy protections in place to comply with the Health Insurance Portability and Accountability Act(HIPAA) of 1996. The information covered by HIPAA is extensive and includes medical record information, conversations about treatment, billing details, and more. The range and scope of HIPAA means it’s important for medical devices to make it easy for users to encrypt data and keep it secure, without hindering their own access to it for healthcare purposes.
- Information your doctors, nurses, and other health care providers put in your medical record
- Conversations your doctor has about your care or treatment with nurses and others
- Information about you in your health insurer’s computer system
- Billing information about you at your clinic
- Most other health information about you held by those who must follow these laws
- Who is affected(covered entities)
- What is protected(patient data)
- How must it be protected
- How SSDs with Encryption can help
We call the entities that must follow the HIPAA regulations “Covered Entities”.
Covered entities include:
- Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
- Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
- Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
- In addition, Business Associates of Covered Entities must follow parts of the HIPAA regulations.
Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “Business Associates.” Examples of business associates include:
- Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims.
- Companies that help administer health plans.
- People like outside lawyers, accountants, and IT specialists.
- Companies that store or destroy medical records.
Covered Entities must have contracts in place with their Business Associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business Associates must also have similar contracts with subcontractors. Business Associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.
Encryption is one of the key tools for modern data privacy, keeping sensitive data unreadable to prying eyes, but software-based encryption techniques can be vulnerable to viruses, hacking or user error. Recently a newer option has emerged in the latest SSDs – hardware-based full disk encryption used ultra-secure algorithms such as AES. With this technology, the entire drive is completely encrypted at the firmware level – difficult to impossible for viruses to infiltrate. The encryption starts from the moment the drive boots up, and happens transparently in the background reducing the chance of user error while giving physicians, nurses and other healthcare providers unhindered access to patient data for clinical purposes.
Care must still be taken that patient data is transmitted over secure channels, but full disk encryption helps ensure that data saved locally is kept safe and compliant with privacy laws, even if disks or devices are stolen or lost.
SSDs are becoming an integral component as modern healthcare shifts towards Point of Care Technology, but the reliability, service life and privacy needs of data storage in the healthcare sector surpass what consumer grade technologies can offer. The best medical device providers need to consider reliable flash types, power protection methods, and disk encryption technology in SSDs for medical use.
Resources
Understanding HIPAA
http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html
http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
What Information Is Protected
http://resource.onlinetech.com/encrypting-data-to-meet-hipaa-compliance/
NIST Compliant – AES
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html