Physicians Find Security In The Cloud - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Leadership
12:35 PM
Connect Directly

Physicians Find Security In The Cloud

Healthcare practices are increasingly partnering with trusted cloud service providers to provide enhanced data security along with improved efficiency of IT operations.

Crowdfunding The Next Healthcare Hit
Crowdfunding The Next Healthcare Hit
(Click image for larger view and slideshow.)

A growing number of healthcare practices are finding that cloud services, once feared by security-conscious providers, are now proving to be a safer option than on-premises alternatives.

While only 4% of healthcare providers adopted the cloud in 2011, use of the vertical cloud is now growing by 20% annually, according to MarketandMarkets. By 2017, the researchers predict, healthcare organizations will spend $5.4 billion on cloud services.

Security demands are driving some of this growth. Stronger HIPAA laws penalize organizations that breach patient data -- and many breaches occur when an employee loses a laptop. For example, on April 22 Concentra Health Services paid the US Department of Health & Human Services Office for Civil Rights more than $1.75 million after an employee's unencrypted laptop was stolen and the organization was found to have insufficient security management processes in place to protect patient data. Indeed, between 2009 and the end of last year, 24 million patient records were breached. Theft accounted for about half of them, wrote Chris Poulin, research strategist for IBM's X-Force Research & Development team, in a blog.

[Nuance offers a new radiology image-sharing service. Read Nuance Adds Radiology Image Sharing To Healthcare Cloud.]

"There's a recognition now that cloud is probably going to be much more secure than you're ever going to be in your own shop, especially if it's not your core competency," Bill Fera, a principal at EY, told us.

Before opening its doors in late 2012, Eppel Family Medicine immediately purchased a cloud-based system, according to office manager Ken Adams. "When you make these decisions about an electronic health record, we didn't want a server that could be stolen. We didn't want paper. The cloud system was definitely a draw right from the get-go," he said of the practice's purchase of CareCloud. "Even more than the cost and ease of use, we didn't want it here in the office. We wanted somebody else to protect it from the bad guys."

When it comes to securing data, practices cannot focus solely on their server. "Everyone thinks of patient information as in their [electronic medical records], but when we go through and do a risk assessment, we find there's patient information in email, and all that information is sitting in laptops or smartphones or tablets," says Art Gross, president and CEO of HIPAA Secure Now, which provides compliance and risk-assessment products and services.

Moving data to the cloud reduces that risk since it is now stored remotely. "There is no laptop containing patient data you can take from cars or [nurses'] carts," says Anand Shroff, CTO at Health Fidelity.

Since a practice no longer operates its own server, it doesn't need to worry about protecting the physical computer from manmade or natural disaster. That's good news, technology executives say, given that some practices aren't equipped to house servers and sometimes place them in inappropriate places. For example, one doctor's office stored its server on a board placed over a toilet in a bathroom, Edwin Miller, VP of product management at CareCloud, told us. The provider of cloud-based healthcare IT software and services integrates with Box for file sharing on a HIPAA-compliant product that patients can access from any Internet-connected device, he said.

Partnering with a HIPAA-compliant cloud-based EHR provider relieved Rose City Urgent Care & Family Practice's security and regulatory woes, according to Dr. Ken Johnson. Founded by three physicians who wanted to help low-income patients, he explained, the practice had little money or time to spare on technology.

"I didn't want to spend all my time in IT fiddling with the server. Although I love doing that, I knew I wouldn't have time," Johnson told us. "With cloud computing, all I need to know is I have a great redundant pipe running to the network. I don't need to have this massive infrastructure."

Although he was initially concerned about security and backup, Johnson realized his solo IT operation couldn't effectively handle the organization's needs, especially with a rapidly growing user base. Eventually he chose a cloud-based EHR and Carbonite's automated cloud backup service. Since Carbonite is a business associate, it provides business associate agreements to Rose City, thereby meeting regulatory requirements.

"In many instances a private cloud is sometimes more secure than their own environment, especially when you talk about physician practices, small businesses, and small rural community hospitals," says Mac McMillan, current chair of the Health Information Management Systems Society (HIMSS) Privacy and Security Policy Task Force and CEO of CynergisTek, a consulting firm focused on regulatory compliance in healthcare. "Some of these organizations don't have the wherewithal to basically have a large IT or a sophisticated IT organization or even their own IT organization or someone to manage a datacenter. In those instances, putting your EHR in a private cloud vendor facility that probably has better security than half the datacenters in healthcare today is a better solution than trying to host it yourself, both operationally and from a security perspective."

Download Healthcare IT In The Obamacare Era, the InformationWeek Healthcare digital issue on changes driven by regulation. Modern technology created the opportunity to restructure the healthcare industry around accountable care organizations, but ACOs also put new demands on IT.

Alison Diana is an experienced technology, business and broadband editor and reporter. She has covered topics from artificial intelligence and smart homes to satellites and fiber optic cable, diversity and bullying in the workplace to measuring ROI and customer experience. An ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Author
4/24/2014 | 5:50:30 PM
Re: It's not if, it's when
Yes, there is a chance a cloud service provider's data can be hacked, of course. But every single day we hear of laptops, phones, and tablets getting stolen or lost from doctors' offices and hospitals. Each of those devices often includes hundreds, if not thousands, of (usually) unencrypted data. Then that small office is fined, heavily fined, perhaps more than $1 million. If they luck out and don't get breached, is it planning or luck? Do the hundreds of small practices in a town spend adequate time and money adding the right security tools, training staff against social engineering, and updating everything once patches come out? Are their offices protected by sensors, security systems, wire, and dogs to prevent machines physicially being removed? How much background checking of employees do they do and how often do they refresh those checks? 

And, of course, they're supposed to care for patients in the middle of all this!

So while cloud isn't 100% safe, it's often a safer alternative. And it definitely should give practices peace of mind that they have reduced the risk to themselves if they do their homework and choose a partner with a proven track record of quality, security, and healthcare capabilities.
User Rank: Author
4/25/2014 | 9:54:15 AM
Re: It's not if, it's when
Thanks, @Gary. Even some of the most technically-minded physicians -- you know, pros who enjoy tinkering and even programming in their spare time -- agreed with your statement, Gary. They realize they don't have time and recognize major security flaws -- Heartbleed for example -- can be discovered at any time, including times when their practice is fully booked and nobody is available to make any needed patch downloads. 

As you also point out, availability is crucial. Of course, practices must seek at least 99.99% uptime from their cloud service providers. And get an SLA (reviewed by an attorney) with some teeth to it, recommended some experts I've spoken to over the years. What other steps are cloud users taking to ensure they can access data if they can't connect with their cloud-based data?
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How CIO Roles Will Change: The Future of Work
Jessica Davis, Senior Editor, Enterprise Apps,  7/1/2021
A Strategy to Aid Underserved Communities and Fill Tech Jobs
Joao-Pierre S. Ruth, Senior Writer,  7/9/2021
10 Ways AI and ML Are Evolving
Lisa Morgan, Freelance Writer,  6/28/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Flash Poll