ROCHESTER -- More than a century ago, Dr. Henry Plummer and Mabel Root created a system at Mayo Clinic that has now become ubiquitous in health care: the unified medical record. This record-keeping system ensured that a patient's medical history stayed in one place and could be reviewed by multiple providers, instead of each physician keeping their own separate notes.
Now, a patient's electronic health record can follow them from clinic to clinic, chronicling their medical information and history.
Mayo Clinic uses these records and other medical data to drive the research its employees embark on, and it shares its resources with other researchers, hospitals and medical technology developers. Its emphasis on developing artificial intelligence algorithms and imbuing its future clinical buildings with technology underscores how critical these data -- appointment records, CT scans, blood work, medical histories -- are in advancing the health system's goals.
Here's a look at Mayo's cache of information and how cybersecurity plays a big role in its protection.
One of the longest-standing troves of medical data is contained in the Rochester Epidemiology Project, which began in 1966.
"Really it began when Dr. Leonard Kurland came to Minnesota from the National Institutes of Health, and he started looking around and realized that Rochester, Minnesota, is kind of isolated from other large cities in our area," said Jennifer St. Sauver, a Mayo Clinic epidemiologist and co-principal investigator of REP.
This isolation meant that Rochester's residents received their health care from just a handful of providers -- and with many Rochesterites living in the area for their whole lives, their health records could be consistent.
"What (Kurland) realized was that if he could put all of that medical information together, you could follow people as they moved back and forth to different health care providers for different reasons," St. Sauver said.
When the project began, it just compiled the medical records of patients in Olmsted County. But beginning in 2010, the project expanded to encompass southern Minnesota and west-central Wisconsin. (Mayo Clinic patients from elsewhere in the world are not included.) Mayo Clinic and its regional health system, Olmsted Medical Center, Olmsted County and Zumbro Valley Health Center all contribute medical records to REP.
"If you're talking about Olmsted County only, we're talking about 657,000 people who lived in this region between 1966 and 2023. If we expand to this 27-county region ... we're talking about 1.4 million people and about 2.9 million medical records," from 2010 to 2023, St. Sauver said.
The result is an ever-updating pool of population-level health information that researchers can use to study things like diabetes onset over time, antibiotic prescribing or the influence of one factor on another, such as pre-eclampsia in pregnancy and high blood pressure later in life.
"When you go to a doctor," St. Sauver said, "you get billing codes that say if you had a particular type of infection, you get these electronic codes that say if you had a particular prescription. ... That data, we can retrieve electronically."
Since 1966, more than 3,500 research studies have been published using REP data. The general public can even use a data exploration portal on REP's website to look at high-level medical trends over time.
"We're incredibly lucky to have this resource," St. Sauver said. "The Rochester Epi Project is the only thing like it in the U.S. ... I don't think we could develop it if we started from scratch today."
Researchers beyond Mayo Clinic's walls might make use of the Mayo Clinic Platform. Its data network, Connect, uses millions of de-identified patient records, test results, imaging, pathology reports and more from Mayo Clinic and seven other large health care systems across the world. As of July, the Connect network contains information from 32.5 million patients, 7 million of whom are Mayo Clinic patients.
For data to be de-identified under the Health Insurance Portability and Accountability Act's Privacy Rule, information that is private or can be used to directly identify a person, such as a patient's name, Social Security number, fingerprints, email addresses and full-face photos, must be removed from the data.
"Each Mayo Clinic Platform_Connect member brings unmatched depth and breadth of clean, curated, de-identified data related to complex and rare health conditions to the network," a Mayo Clinic Platform spokesperson said in a statement to the Post Bulletin. "Together, this data represents a wide range of treatments and therapies from diverse communities in urban and rural settings across the globe."
Mayo Clinic Platform describes its Connect database as one of the largest and most comprehensive data networks in health care, and medical providers, researchers and device and technology makers can use it in their work.
Some of this information is also used to test and validate artificial intelligence (AI) tools through Mayo Clinic Platform_Discover.
"Mayo Clinic Platform_Discover supports health care transformation by enabling innovators and researchers to utilize ... de-identified data from geographically and ethnically diverse patient populations, which will help create more tailored medicine, health care products, services and solutions," the spokesperson said.
The breadth of Mayo Clinic's medical data isn't all in electronic records -- some of it is in blood, deep-frozen cells and tissue blocks.
"Just in Minnesota, I have up to a 70 million-sample capacity," said Mine Cicek, director of the biorepositories program at the Mayo Clinic Biobank.
Biosamples for various clinical trials and other research projects are stored at a 100,000-square-foot facility in Rochester. Some samples, like blood, are stored in upright freezers at minus-112 degrees Fahrenheit. Even colder (minus-310 degrees) liquid nitrogen storage is used for live cells. Barcodes help automate the process of locating the right samples when they are needed.
Two big biosample collections managed by Mayo are the Mayo Clinic Biobank and the All of Us Research Program.
Cicek said 70,000 Mayo Clinic and Mayo Clinic Health System patients contributed samples to the biobank, and "that translated into about 1.2 million samples that (are) available for researchers."
As for All of Us, Mayo Clinic plays a critical role; even though it is a nationwide program run by the National Institutes of Health, Mayo collects, processes and stores all of the blood and urine samples for All of Us.
The national research program aims to enroll 1 million Americans -- especially those from under-represented backgrounds -- in a database that uses health records, surveys and genetic information to fuel medical research. With its use of health records and large participant population, All of Us has some similarities to REP.
All of Us participants can also give a biosample to the program. Cicek, the principal investigator for the All of Us biobank, said Mayo Clinic gives collection supplies to all the participating clinics around the country. When a person donates a biosample (seven vials of blood, usually) at their local medical clinic, their sample gets sent back to Mayo, where it's divided into multiple, smaller samples, sequence the genetic data and store the samples for future use.
"We received, as of last month, close to 600,000 participants," she said. "And from those participants, what we have in our storage (is) close to 14 million samples."
While genetic information is the primary use for the All of Us samples, Cicek said it's hard to tell how future researchers will use this resource.
"The purpose of these types of collections, biobanks, this wide variety of sample types that we provide really gives the opportunity to researchers to do a wide range of research," she said. "You really can't tell, in the next 10 years, what the priorities of researchers will be."
With all of this information on hand, Mayo Clinic -- and every other hospital, clinic, dental practice and so on -- has to invest in keeping that data secure. Because medical practices store patients' personal, medical and financial information, they can be a key target for cyberattackers.
"Hospital systems are victims of cyberattack primarily because of the data that they hold," said Brendan Saltaformaggio, a professor of cybersecurity at the Georgia Institute of Technology. "If you think of it from the hackers' perspective, it's like to get the most bang for your buck if you attack a hospital system."
Sometimes, the hackers' goal is to obtain this data in order to sell it to other bad actors.
"People who are doing insurance fraud ... or identity theft, all of these sorts of crimes that require a lot of very private data about people, those criminals will pay hackers very large sums of money for this stolen personal data," Saltaformaggio said.
Hackers can also hold that information for ransom. When electronic patient records and systems are inaccessible, that can have a significant effect on patient care, said Hannah Neprash, an associate professor at the University of Minnesota School of Public Health.
"Some very common disruptions are losing access to an electronic medical record, which means you don't know what medications the patient is taking or, maybe, what they're allergic to," she said. "Delaying or canceling surgeries, which just delays time to treatment, and then also something called ambulance diversion, which is sending emergency patients elsewhere."
These sorts of ransomware attacks have a more dramatic impact on rural hospitals, Neprash and her colleagues found in a recent study. Because rural hospitals are, typically, further away from other health care providers, Neprash said rural patients can have a harder time getting the care they need while their hospital is affected by ransomware.
Because of this risk, Saltaformaggio said hospitals of all sizes "do an amazing job at cybersecurity" despite two big challenges: having lots of computers and devices to protect and building up their cybersecurity team.
To the first challenge, not only do hospitals have to secure the computers in exam rooms, offices and nurses' stations, but they also have to consider devices like MRIs, smart wheelchairs and doctors' cell phones, Saltaformaggio said -- if it uses a computer, it could be exploited.
"There's always a trade-off between locking things down and making things interoperable," he said. "You need the lab computers to interoperate with the patient database computers, and the patient database computers to interoperate with the email servers. ... (But) it's an opportunity, if an attacker can get access to one computer that can communicate with another computer, then, all of a sudden, the attack can spread."
The second challenge is competing against other companies in hiring cybersecurity experts.
"It's a field where there are way more job openings than there are job seekers," Saltaformaggio said.
And, in addition to routinely updating its cyber defenses, hospitals also have to stay up-to-date on staff cybersecurity awareness, said Sumantra Sarkar, an associate professor at Binghampton University who studies health care information technology.
"Ultimately, it's humans using that computer or feeding in data or analyzing the data," he said. "Humans also happen to be one of the most vulnerable points of failure in the whole data ... ecosystem."
In the Rochester Epidemiology Project's case, its information is protected behind the same firewall that covers Mayo Clinic's other sensitive data.
"As the Mayo Clinic firewalls are updated -- and they are updated constantly and routinely to adapt and consistently protect these data -- the REP data are automatically part of that," St. Sauver said.
Who gets to use the data is also controlled. A research proposal has to be approved by Mayo Clinic's Institutional Review Board and the REP Research Review Committee before it can access and analyze REP data.
For All of Us, which also uses electronic health records and patient surveys to gather data, potential researchers are vetted before they access the data which is "stored on the Research Workbench, a secure, cloud-based platform," per the program's website.
Fewer legal protections are in place for de-identified data, since at that point it is no longer protected health information under HIPAA's Privacy Rule. Therefore, certain organizations (including hospitals) can use and share that information without limitation.
In Mayo Clinic Platform's case, they store their de-identified data "behind a secure perimeter."
"Each partner retains control over their data, and only authorized tools can access the de-identified data for algorithm development," the spokesperson said.
When it comes to securing your own medical data, much of that control is in the hands of the hospital and its cybersecurity team.
What individuals can do, Sarkar said, is be conservative with sharing their personal information. For example, if a service asks for your Social Security Number, but it isn't required, opt out of providing it. He also said to change passwords regularly and, if possible, use two-factor authentication to sign in to accounts.
"Any password in the world can be broken, OK? But the faster you change, the chances of password breaking is minimal," he said.
For patients and hospital employees, Saltaformaggio said taking caution when clicking links and interacting with emails is an important part of cybersecurity.
"When it comes time to do those annual cybersecurity training things that most employers make everybody do now, take that seriously," he said. "They're designed by experts who study how people fall for cyberattacks."
Mayo Clinic did not respond to the Post Bulletin's question about how patients opt in or opt out of having their health information used in research.
For the Rochester Epidemiology Project, St. Sauver said that when a person becomes a new patient at Mayo, OMC or another partner, they will receive a letter in the mail about medical research authorization and giving them the option to opt out. If the patient doesn't opt out after two letters, they will be opted into REP. Children opted in by their parents will get a new letter when they turn 18.
To check or change your REP status, St. Sauver said Mayo Clinic patients can call 507-293-3550 and OMC patients can reach OMC's medical records department at 507-287-2752.