In the context of its authority over mammography under the Mammography Quality Standards Act, the U.S. Food and Drug Administration has posted an advisory on technical aspects of digital record retention in picture archiving and communication systems or PACS. The primary issue addressed is loss of data due to failure of the equipment.
This problem has not drawn as much attention as has the problem of data being stolen. With respect to mammography, the FDA notes that under its authority, a loss due to preventable reasons may result in a compliance action. In this regard, one can envision considerable after-the-fact discussion of what was preventable and when such prevention should have been applied. While the FDA does not have direct authority with respect to most other data, the issues raised and its suggested solutions have applicability to all forms of electronic data storage. Moreover, security should not be driven primarily by compliance.
The FDA cites the following archiving myths: the data will last forever, hard drives will never fail, and backup and maintenance are not necessary, nor are refreshing and upgrading. I would add to these the myths the idea that the cloud solves all the problems and that it doesn’t matter where the backup data resides physically—if the user even understands that the cloud actually means someone else’s server. These data longevity concerns were mirrored in a recent New York Times article on a new data storage technology that included questioning the longevity of digital storage.
The FDA’s suggestions include investing in backup storage to which I would add understanding the actual location of that stored data and how it is managed. For example, at a minimum, backup data has to be at a different location sufficiently removed from the first so that local disasters do not wipe out both. The FDA also notes that staff must be properly trained on backup procedures and that manufacturer software updates should be applied “as soon as they are released.”
Additional issues might be whether the staff understands and can monitor automatic backup processes, and whether backups are audited for integrity. I am reminded of the now-dated anecdote of people loading tape reels and watching them spin but never realizing that nothing was being recorded. Software updates are interesting since the FDA seems to be assuming that all updates are true and correct. This overlooks the wonderful software term “rollback upgrade” which means stop using that new package (because it has defects) and go back to the old package. I am similarly fond of the terminology “upgrade” itself when it is used to mean fixing something that was never right in the first place.
On everyone’s favorite topic of maintenance, the FDA suggests following the manufacturer’s recommendations on hardware maintenance, upgrades and refresh, especially for hard drives. By curious coincidence, while writing this blog post, I received an e-mail from my external storage provider that my data would be unavailable the next day because of planned maintenance. (If it was planned, why did I get only 12-hours notice?) The FDA also reminds us that electronic data and its potential loss is not just a technical issue but can translate into risks to patients when the lost data is crucial to ongoing care. And at least for mammography, that data it is a compliance issue.
William Hyman, ScD, is professor emeritus of biomedical engineering at Texas A&M University. He now lives in New York where he is adjunct professor of biomedical engineering at The Cooper Union.