There’s an interesting article at InformationWeek about healthcare and the cloud. The article talks a little bit about the concerns surrounding security in the cloud and what I believe is an undeserved fear of using cloud based services and storage for healthcare information.
In the article a pediatrician that is also director of clinical informatics for Atrius Health is quoted as saying “At the moment I’m not convinced that there’s a secure enough place in the cloud or that the functionality exists for us to do everything that we need to do in the cloud. The cloud allows for a tremendous amount of interconnectivity between computers because it’s using data storage that’s free amongst different networks and I wouldn’t want healthcare information being scattered in a way that I couldn’t protect it appropriately.” I’m not sure I understand the perceived insecurity of the cloud as the existing infrastructure for storing patient information in healthcare is, by design, insecure.
I don’t think most of the fear swirling around the cloud is necessarily associated with the physical security of the servers or the lack of encryption, but rather the regulation attached to healthcare. Everyone wants to know that information is safe and they don’t want to get dinged by one of the regulatory agencies. Everyone is worried about being HIPAA compliant along with the fines associated with the HITECH Act for breaches of patient information. I can’t guarantee that every cloud provider meets HIPAA regulatory compliance, but that’s why you have a sit down with the cloud provider and understand what you’re getting yourself into before you jump in head first.
However, consider the results of a recent survey conducted by New London Consulting and FairWarning in which nearly one-third of survey respondents stated that their organizations were not currently in compliance with or feel that they will be in compliance with the HITECH requirements. How is that a good thing?
On the other hand, it’s in a cloud service provider’s best interest to be in full compliance with state and federal laws if they plan on staying in business. This could be a win-win, especially for healthcare systems that need someone to help control their data.
Based on available cloud models one could argue that data is more secure in the cloud than it is with many “in-house” systems. Cloud service applications are developed with cloud platforms in mind and use a common security model. Cloud providers tend to be aware of technology and security trends before the typical end-user. In other words, they pay more attention to issues such as physical security, access controls and perceived threats. It’s what they do, people.
Many consider data control and security in the current healthcare model a myth. It consists of data located in various places split among computerized storage and paper files. Do you really think this is a safe, secure and efficient way of storing healthcare information? A more important consideration might be whether or not the people arguing against cloud storage models understand the current state of healthcare data integrity.
Many people in various locations need access to healthcare information. In the current healthcare model this results in duplicate information found in paper charts stored by the thousands. It’s not uncommon to find these files lying around in various places like nursing units, physicians desks, etc. Don’t even get me started on what can happen when a hard copy of a record gets lost in transit to another location. And let’s not forget that some facilities may not have a readily available backup of these paper records.
Unfortunately, the problem with data integrity and security isn’t limited to paper records. Electronic records inside facilities are at risk as well. Medical records are accessed by many people for lots of legitimate reasons, but what happens when a physician or other healthcare provider walks through your door with a flash drive, an external hard drive, or even a laptop with patient data on it? That’s a walking HIPAA nightmare.
Laptops are everywhere and some physicians use them to transport patient data back and forth. In addition, laptops remain a mainstay for home health nurses and hospice care outside the hospital. They are both an indispensable tool and a tremendous security risk for healthcare institutions. If you don’t believe me just do a cursory online search for “lost laptop with healthcare data” and see what pops up. You’ll be shocked and horrified by what you read.
Information from a 2009 report by the Ponemon Institute indicated that Approximately 10,000 laptops go missing in airports every week. Some get recovered, but many don’t. The loss of these laptops is not only a security breach when they contain sensitive healthcare data, but they create a financial burden as well. It’s not just the cost of replacing the hardware itself, which we know is cheap, but the cost of detection, forensics, the loss of productivity and the possible fines associated with the data breach.
According to the Ponemon report, the average value of a lost laptop for all industries is $49,246. That’s a bargain when compared to healthcare where it’s actually around $67,873. Sure you can encrypt the data and take steps to minimize data breaches on these stolen or lost devices, but doesn’t it make more sense to simply avoid it all together? I think so.
A cloud model means that your information doesn’t need to be moved around and it doesn’t need to be copied or transferred from one system to another because the end user has the information available to them at any time from any device with internet connectivity. Pick your device: smartphone, laptop, iPad, it doesn’t make any difference as long as the device is web enabled and can see the information in the cloud.
Regardless of the situation – pharmacy needs information about a patient’s allergies or a patient gets admitted to the hospital and you need the old chart or you’re a physician on call that needs to know what a patient is taking or what their most recent labs are – as long as you have web access you can see that information. With the increasing availability of wireless connectivity it’s only a matter of time before having access at anytime from anywhere won’t be a slogan, but a reality. In addition the information remains safe because it’s not stored locally on the device. You’re simply using the device as a window to view the data.
A 2009 report on “Cloud Computing: Benefits, risks and recommendations for information security” by the European Network and Information Security Agency actually took an independent look at the technical and legal aspects associated with the issues of ‘cyber security’ and determined that “The scale and flexibility of cloud computing gives the providers a security edge.” Their reason for making such a bold statement was that they felt that service providers had the flexibility to instantly correct security issues, apply patches or implement additional security features if necessary.
Regardless of current feelings toward cloud computing, it is apparent to me that the consumer market is driving adoption. The InformationWeek article goes on to say “Nevertheless, last month two major announcements may have been the clearest indication yet that vendors believe there is promise in offering cloud computing to healthcare delivery organizations, especially among small and medium-size physician practices. In June, GE Healthcare introduced Centricity Advance, a new Web-based, SaaS platform that offers a combination of EMR, practice management, and patient portal solutions for small, independent physician practices. Last month also saw Dell announce a partnership with SaaS provider Practice Fusion to offer an electronic medical record package for small and medium-size medical practices.” We’re headed toward the cloud whether we like it or not. The market will eventually force healthcare to adopt the model, and being forced into something is never a good thing. While I believe in improving and optimizing existing systems, I also believe it’s important to explore future technology and decide where you want to be. Just a thought.