College of American Pathologists
Printable Version






December 2011

Raymond D. Aller, MD
Hal Weiner

Using data-masking software to prevent a data breach Using data-masking software to prevent a data breach

Without risk, there would be little progress. Yet only a fool takes unnecessary risks. And so it is that medical institutions and vendors that develop and test medical software can be divided into two camps: those that take foolish risks and those that do not.

It should be of little surprise to any health care professional that using unprotected patient data to test and develop medical information systems is risky. Yet—for a variety of reasons—many entities take such risks, despite widespread availability of data-masking software.

A survey released earlier this year by the Ponemon Institute, LLC, a research firm in Traverse City, Mich., reveals the extent of the problem. The report, which was sponsored by Informatica, a data-integration software company in Redwood City, Calif., found that 51 percent of 450 health information technology experts surveyed do not use privacy protection when developing or testing information technology applications, such as laboratory information systems.

“If you want to produce quality software and not take unnecessary risks, data masking is the way to go,” says Mike Logan, president of Axis Technology Software, LLC, a company in Boston that supplies data-masking solutions to the health care marketplace.

So what exactly is data masking? “Traditional data masking is the process of rendering data useful but meaningless, so it passes structure and edit checks and looks like real data but is not,” explains Richard Cramer, chief health care strategist for Informatica and former associate chief information officer at UMass Memorial Health Care, Worcester, Mass. “It’s a permanent change to the data stored in a database—great for testing and development.

“The newest thing in data masking,” Cramer continues, “is dynamic data masking, which just masks individual fields in a program that is running. . . . The data is masked as it is presented to the user, so it’s just being changed as it’s being used. This is great because it allows data to be masked in a production environment.”

Several companies offer data-masking software to the health care field, and each has its preferred set of data disguises. One technique involves creating a representative subset of data—perhaps 40,000 records—that can be used to test internal applications, upgrades, and interoperability between systems. In such subsets, personally identifiable information, such as names, addresses, and social security numbers, are masked to comply with regulations of the Health Insurance Portability and Accountability Act. HIPAA states that 18 data fields must be de-identified for privacy rules to no longer apply. Some software allows users to replace social security numbers with the letter X. Other products shuffle or substitute data with values from other sets of data.

“We are not scrambling data and not using Xs or Os,” Logan says. “We are putting in realistic looking data. That is our version.” A simple approach, Logan continues, is to replace modern names with Old English names, such as replacing Mike with Roman.

Whatever the technique, the goal is to have masked data act like real data, Cramer says. “You are not changing values of tests, but you are eliminating the ability to associate results with a real individual.” In other words, he continues, the truly valuable data are real and useful for testing, but they pertain to people who don’t exist.

Data masking doesn’t have to be labor intensive, Logan says, noting his clients are pleasantly surprised when they realize they can obtain data more quickly once data masking is in place. “They don’t need to jump through hoops and wait for someone to give their approval [to access the information],” he says.

An added benefit, Logan notes, is that data-masking software can be used on a fully operational LIS to analyze trends, such as adverse events, without compromising sensitive patient information.

But despite the benefits of data masking, the software isn’t exactly flying off the shelf. One reason is that time-crunched health care professionals think it’s quicker to skip the extra step of masking patient information during testing and development, Cramer says. “It is amazing the lengths that organizations will go to to maintain all of these copies of production data and try to keep people from using it for the wrong reason,” he adds.

Another hurdle is institutional mindset: Businesses tend to stick with what they know. They have a lock on the door, Logan analogizes, so they tighten their security by adding three more locks.

Cramer concurs. You have to have a workplace culture that welcomes someone saying, “‘I want to make a strategic change. I will spend a little more and do a little more to see benefits down the line.’ It’s not a technical thing, but a leadership and governance thing,” he asserts.

But spending “a little more” can be an obstacle as well. Data-masking software for a large enterprise can cost a few hundred thousand dollars, says Cramer. However, he notes, “hundreds of thousands of dollars is a small price to pay compared to the risk of a data breach, which can cost millions of dollars.”

New LIMS for molecular diagnostics laboratories New LIMS for molecular diagnostics laboratories

UniConnect recently introduced UniFlow MDx, a laboratory information management system designed for molecular diagnostics laboratories.

The product is scalable and designed to support molecular labs of all sizes, from single laboratories to distributed and global networks of labs.

UniFlow MDx can be completely customized and configured by trained, authorized users. “This product’s core functionality addresses the basic needs of all diagnostic labs yet is flexible enough that labs can process samples in a way that is unique to their specific operations—from first sample to final report,” says Rick Mandahl, vice president of business development for UniConnect.

Phone: 801-428-1700

Olympus and Caris Diagnostics unveil pathology interface Olympus and Caris Diagnostics unveil pathology interface

Olympus, in partnership with Caris Diagnostics, has introduced an automated pathology reporting interface, Olympus EndoWorks 7.4.

The EndoWorks interface allows endoscopy providers to generate specimen labels, view and print daily specimen logs, access status and diagnostic reports electronically, update patient reports, search by patient, print requisitions and lab results, and interface pathology records with Olympus’ EndoWorks system, a Web-based information-management solution for gastrointestinal and pulmonary patient care.

Users of the EndoWorks interface can also automatically attach procedure data and summary notes.


Caris Diagnostics

AMA announces opposition to federal ICD-10 mandate AMA announces opposition to federal ICD-10 mandate

The American Medical Association House of Delegates recently voted to work vigorously to stop the federal government from implementing ICD-10 (International Classification of Diseases, 10th Revision), a new code set for medical diagnoses. The AMA’s action, however, has not been embraced by all medical societies.

“The implementation of ICD-10 will create significant burdens on the practice of medicine with no direct benefit to individual patients’ care,” said AMA president Peter W. Carmel, MD, at the AMA’s semi-annual policy meeting in November. The undertaking, he added, “will add administrative expense and create unnecessary workflow disruptions. The timing could not be worse as many physicians are working to implement electronic health records into their practices.”

The American Health Information Management Association disagrees. “There are countless benefits that will come from the use of a 21st century classification system,” says AHIMA CEO Lynne Thomas Gordon. “We need to move our disease classification system toward international standards and also align it with the meaningful use incentive program as well as value-based reimbursement.”

AHIMA further asserts that ICD-10 will cause minimal workflow disruptions and that specialty practices use a small number of the codes. “The classification system is like a dictionary,” says Sue Bowman, AHIMA director of coding policy and compliance. “You only use it for the codes that represent the diseases that your practice encounters, which would not be every code in the book.”

The Department of Health and Human Services has mandated that ICD-9-CM code sets, used by medical billers and coders to report health care diagnoses and procedures, be replaced with ICD-10 code sets by Oct. 1, 2013.

Xifin introduces solution for revenue cycle management Xifin introduces solution for revenue cycle management

Xifin has released its Xifin iNet platform for revenue cycle management.

The cloud-based Xifin iNet employs a platform-as-a-service model that allows diagnostic service providers using Xifin’s RCM solution to distribute and exchange billing information and revenue cycle management functionality with a variety of systems, including laboratory and radiology information systems, computerized physician order-entry systems, and electronic medical record systems.

“Xifin iNet actively communicates with other systems to facilitate clean orders through payer-specific edits, eligibility and medical necessity checking, and other types of validation to help reduce front-end errors,” according to a release from the company.


Cove releases updated laboratory inventory-management software Cove releases updated laboratory inventory-management software

Cove Laboratory Software is marketing version 7.0 of its InvMan inventory-management software.

This latest release offers electronic storage of product package inserts, product notifications, material safety data sheets, and vendor contract documents. The software also allows users to include product bar codes on worklists and print bar codes on labels of various sizes.

InvMan manages the inventory of laboratory reagents, supplies, and instrumentation.

Cove Laboratory Software

Contracts and installations Contracts and installations

Mediware Information Systems has signed contracts to install its InSight Performance Management platform at the BloodCenter of Wisconsin, Milwaukee, Community Blood Center of Kansas City (Mo.), and U.S. Department of Defense. Using InSight software, the institutions can monitor performance in transfusion services, identify key trends, and receive notifications when targets are not being met.

Mediware Information Systems

Massachusetts General Hospital, Boston, has gone live with Sunquest Information Systems’ CoPathPlus 5.0 anatomic pathology system.

Sunquest Information Systems

Dr. Aller is director of informatics in the Department of Pathology, University of Southern California, Los Angeles. He can be reached at Hal Weiner is president of Weiner Consulting Services, LLC, Florence, Ore. He can be reached at