Healthcare // Leadership
News
4/24/2014
12:35 PM
Connect Directly
RSS
E-Mail
50%
50%

Physicians Find Security In The Cloud

Healthcare practices are increasingly partnering with trusted cloud service providers to provide enhanced data security along with improved efficiency of IT operations.

Crowdfunding The Next Healthcare Hit
Crowdfunding The Next Healthcare Hit
(Click image for larger view and slideshow.)

A growing number of healthcare practices are finding that cloud services, once feared by security-conscious providers, are now proving to be a safer option than on-premises alternatives.

While only 4% of healthcare providers adopted the cloud in 2011, use of the vertical cloud is now growing by 20% annually, according to MarketandMarkets. By 2017, the researchers predict, healthcare organizations will spend $5.4 billion on cloud services.

Security demands are driving some of this growth. Stronger HIPAA laws penalize organizations that breach patient data -- and many breaches occur when an employee loses a laptop. For example, on April 22 Concentra Health Services paid the US Department of Health & Human Services Office for Civil Rights more than $1.75 million after an employee's unencrypted laptop was stolen and the organization was found to have insufficient security management processes in place to protect patient data. Indeed, between 2009 and the end of last year, 24 million patient records were breached. Theft accounted for about half of them, wrote Chris Poulin, research strategist for IBM's X-Force Research & Development team, in a blog.

[Nuance offers a new radiology image-sharing service. Read Nuance Adds Radiology Image Sharing To Healthcare Cloud.]

"There's a recognition now that cloud is probably going to be much more secure than you're ever going to be in your own shop, especially if it's not your core competency," Bill Fera, a principal at EY, told us.

Before opening its doors in late 2012, Eppel Family Medicine immediately purchased a cloud-based system, according to office manager Ken Adams. "When you make these decisions about an electronic health record, we didn't want a server that could be stolen. We didn't want paper. The cloud system was definitely a draw right from the get-go," he said of the practice's purchase of CareCloud. "Even more than the cost and ease of use, we didn't want it here in the office. We wanted somebody else to protect it from the bad guys."

When it comes to securing data, practices cannot focus solely on their server. "Everyone thinks of patient information as in their [electronic medical records], but when we go through and do a risk assessment, we find there's patient information in email, and all that information is sitting in laptops or smartphones or tablets," says Art Gross, president and CEO of HIPAA Secure Now, which provides compliance and risk-assessment products and services.

Moving data to the cloud reduces that risk since it is now stored remotely. "There is no laptop containing patient data you can take from cars or [nurses'] carts," says Anand Shroff, CTO at Health Fidelity.

Since a practice no longer operates its own server, it doesn't need to worry about protecting the physical computer from manmade or natural disaster. That's good news, technology executives say, given that some practices aren't equipped to house servers and sometimes place them in inappropriate places. For example, one doctor's office stored its server on a board placed over a toilet in a bathroom, Edwin Miller, VP of product management at CareCloud, told us. The provider of cloud-based healthcare IT software and services integrates with Box for file sharing on a HIPAA-compliant product that patients can access from any Internet-connected device, he said.

Partnering with a HIPAA-compliant cloud-based EHR provider relieved Rose City Urgent Care & Family Practice's security and regulatory woes, according to Dr. Ken Johnson. Founded by three physicians who wanted to help low-income patients, he explained, the practice had little money or time to spare on technology.

"I didn't want to spend all my time in IT fiddling with the server. Although I love doing that, I knew I wouldn't have time," Johnson told us. "With cloud computing, all I need to know is I have a great redundant pipe running to the network. I don't need to have this massive infrastructure."

Although he was initially concerned about security and backup, Johnson realized his solo IT operation couldn't effectively handle the organization's needs, especially with a rapidly growing user base. Eventually he chose a cloud-based EHR and Carbonite's automated cloud backup service. Since Carbonite is a business associate, it provides business associate agreements to Rose City, thereby meeting regulatory requirements.

"In many instances a private cloud is sometimes more secure than their own environment, especially when you talk about physician practices, small businesses, and small rural community hospitals," says Mac McMillan, current chair of the Health Information Management Systems Society (HIMSS) Privacy and Security Policy Task Force and CEO of CynergisTek, a consulting firm focused on regulatory compliance in healthcare. "Some of these organizations don't have the wherewithal to basically have a large IT or a sophisticated IT organization or even their own IT organization or someone to manage a datacenter. In those instances, putting your EHR in a private cloud vendor facility that probably has better security than half the datacenters in healthcare today is a better solution than trying to host it yourself, both operationally and from a security perspective."

Download Healthcare IT In The Obamacare Era, the InformationWeek Healthcare digital issue on changes driven by regulation. Modern technology created the opportunity to restructure the healthcare industry around accountable care organizations, but ACOs also put new demands on IT.

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
4/26/2014 | 6:11:14 AM
Re: Physicians Find Security In The Cloud
This is in fact a very good initiative and should be invested upon. All one needs with cloud computing is basically a great redundant pipe running to the network and not any massive infrastructure as is used by other computing devices. That is a plus. It needs to be done now. All people are concerned about is what it can do for us as opposed to when exactly will we get this technology. That is the question we should ask ourselves.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
4/26/2014 | 6:09:01 AM
Re: It's not if, it's when
@Gary, you raise some very interesting points and I totally agree with you on most of them. However, before everyone in the medical field jumps to the cloud, I think there are a few factors that must be considered closely and which, unfortunately have not been touched on so far. For instance, it may not be very wise, or even economical, for a small-time physician to invest in cloud computing since it would be much easier for him or her to simply secure the data locally using up to date EMR software.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
4/25/2014 | 9:54:15 AM
Re: It's not if, it's when
Thanks, @Gary. Even some of the most technically-minded physicians -- you know, pros who enjoy tinkering and even programming in their spare time -- agreed with your statement, Gary. They realize they don't have time and recognize major security flaws -- Heartbleed for example -- can be discovered at any time, including times when their practice is fully booked and nobody is available to make any needed patch downloads. 

As you also point out, availability is crucial. Of course, practices must seek at least 99.99% uptime from their cloud service providers. And get an SLA (reviewed by an attorney) with some teeth to it, recommended some experts I've spoken to over the years. What other steps are cloud users taking to ensure they can access data if they can't connect with their cloud-based data?
BobH088
50%
50%
BobH088,
User Rank: Apprentice
4/25/2014 | 9:48:40 AM
losing data
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags (mystufflostandfound.com) let someone who finds your lost stuff contact you directly without exposing your private information. I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.
Gary_EL
50%
50%
Gary_EL,
User Rank: Ninja
4/24/2014 | 9:58:51 PM
Re: It's not if, it's when
Yes, the there is a chance that the cloud provider can be hacked. But, protecting against that eventuality is what they do for a living, so the data is safer with them than it is at a doc's office with the "server on a board placed over a toilet in a bathroom" – I love that story! This idea will fly, because it makes so much sense. It's also why accounting firms like cloud-based software. Most of the responsibility for security is lifted off their shoulders, and if something goes wrong, it'll most likely be the software provider who gets sued or fined – not them.

Yes, the docs are fascinated with computers, just like most other bright people with technical educations. But, there are only so many hours in a day, and specialization is a bittersweet fact of life, and there are only so many roads most of us can walk down and still be at our most productive.

This is also the preferred solution because if/when a patient is hospitalized, the hospital docs will (hopefully) be able to access the records, and less of the primary's time has to be spent interfacing with the hospital staff.

The article touched on another critical point. The data will have to spend some time in the memories of the devices held by the doctors and his/her staff; maybe more time to keep the office running when the internet goes down, How will the info be protected then?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
4/24/2014 | 5:50:30 PM
Re: It's not if, it's when
Yes, there is a chance a cloud service provider's data can be hacked, of course. But every single day we hear of laptops, phones, and tablets getting stolen or lost from doctors' offices and hospitals. Each of those devices often includes hundreds, if not thousands, of (usually) unencrypted data. Then that small office is fined, heavily fined, perhaps more than $1 million. If they luck out and don't get breached, is it planning or luck? Do the hundreds of small practices in a town spend adequate time and money adding the right security tools, training staff against social engineering, and updating everything once patches come out? Are their offices protected by sensors, security systems, wire, and dogs to prevent machines physicially being removed? How much background checking of employees do they do and how often do they refresh those checks? 

And, of course, they're supposed to care for patients in the middle of all this!

So while cloud isn't 100% safe, it's often a safer alternative. And it definitely should give practices peace of mind that they have reduced the risk to themselves if they do their homework and choose a partner with a proven track record of quality, security, and healthcare capabilities.
Stephen F.H266
50%
50%
Stephen F.H266,
User Rank: Apprentice
4/24/2014 | 4:54:38 PM
It's not if, it's when
What a mess.  Once medical information escapes the physical confines of the physician's office, clinic, or hospital, it will be hacked.  That's scary enough; what's even scarier is the possibility we won't even know it happened, much less who did it.  And once a central government gets its hands on the information, it becomes a vehicle for intimidation and other forms of destroying personal liberty.
2014 US Salary Survey: 10 Stats
2014 US Salary Survey: 10 Stats
InformationWeek surveyed 11,662 IT pros across 30 industries about their pay, benefits, job satisfaction, outsourcing, and more. Some of the results will surprise you.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - July 21, 2014
Our new survey shows fed agencies focusing more on security, as they should, but they're still behind the times with cloud and overall innovation.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
In this special, sponsored radio episode we’ll look at some terms around converged infrastructures and talk about how they’ve been applied in the past. Then we’ll turn to the present to see what’s changing.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.