A growing number of healthcare practices are finding that cloud services, once feared by security-conscious providers, are now proving to be a safer option than on-premises alternatives.
While only 4% of healthcare providers adopted the cloud in 2011, use of the vertical cloud is now growing by 20% annually, according to MarketandMarkets. By 2017, the researchers predict, healthcare organizations will spend $5.4 billion on cloud services.
Security demands are driving some of this growth. Stronger HIPAA laws penalize organizations that breach patient data -- and many breaches occur when an employee loses a laptop. For example, on April 22 Concentra Health Services paid the US Department of Health & Human Services Office for Civil Rights more than $1.75 million after an employee's unencrypted laptop was stolen and the organization was found to have insufficient security management processes in place to protect patient data. Indeed, between 2009 and the end of last year, 24 million patient records were breached. Theft accounted for about half of them, wrote Chris Poulin, research strategist for IBM's X-Force Research & Development team, in a blog.
[Nuance offers a new radiology image-sharing service. Read Nuance Adds Radiology Image Sharing To Healthcare Cloud.]
"There's a recognition now that cloud is probably going to be much more secure than you're ever going to be in your own shop, especially if it's not your core competency," Bill Fera, a principal at EY, told us.
Before opening its doors in late 2012, Eppel Family Medicine immediately purchased a cloud-based system, according to office manager Ken Adams. "When you make these decisions about an electronic health record, we didn't want a server that could be stolen. We didn't want paper. The cloud system was definitely a draw right from the get-go," he said of the practice's purchase of CareCloud. "Even more than the cost and ease of use, we didn't want it here in the office. We wanted somebody else to protect it from the bad guys."
When it comes to securing data, practices cannot focus solely on their server. "Everyone thinks of patient information as in their [electronic medical records], but when we go through and do a risk assessment, we find there's patient information in email, and all that information is sitting in laptops or smartphones or tablets," says Art Gross, president and CEO of HIPAA Secure Now, which provides compliance and risk-assessment products and services.
Moving data to the cloud reduces that risk since it is now stored remotely. "There is no laptop containing patient data you can take from cars or [nurses'] carts," says Anand Shroff, CTO at Health Fidelity.
Since a practice no longer operates its own server, it doesn't need to worry about protecting the physical computer from manmade or natural disaster. That's good news, technology executives say, given that some practices aren't equipped to house servers and sometimes place them in inappropriate places. For example, one doctor's office stored its server on a board placed over a toilet in a bathroom, Edwin Miller, VP of product management at CareCloud, told us. The provider of cloud-based healthcare IT software and services integrates with Box for file sharing on a HIPAA-compliant product that patients can access from any Internet-connected device, he said.
Partnering with a HIPAA-compliant cloud-based EHR provider relieved Rose City Urgent Care & Family Practice's security and regulatory woes, according to Dr. Ken Johnson. Founded by three physicians who wanted to help low-income patients, he explained, the practice had little money or time to spare on technology.
"I didn't want to spend all my time in IT fiddling with the server. Although I love doing that, I knew I wouldn't have time," Johnson told us. "With cloud computing, all I need to know is I have a great redundant pipe running to the network. I don't need to have this massive infrastructure."
Although he was initially concerned about security and backup, Johnson realized his solo IT operation couldn't effectively handle the organization's needs, especially with a rapidly growing user base. Eventually he chose a cloud-based EHR and Carbonite's automated cloud backup service. Since Carbonite is a business associate, it provides business associate agreements to Rose City, thereby meeting regulatory requirements.
"In many instances a private cloud is sometimes more secure than their own environment, especially when you talk about physician practices, small businesses, and small rural community hospitals," says Mac McMillan, current chair of the Health Information Management Systems Society (HIMSS) Privacy and Security Policy Task Force and CEO of CynergisTek, a consulting firm focused on regulatory compliance in healthcare. "Some of these organizations don't have the wherewithal to basically have a large IT or a sophisticated IT organization or even their own IT organization or someone to manage a datacenter. In those instances, putting your EHR in a private cloud vendor facility that probably has better security than half the datacenters in healthcare today is a better solution than trying to host it yourself, both operationally and from a security perspective."
Download Healthcare IT In The Obamacare Era, the InformationWeek Healthcare digital issue on changes driven by regulation. Modern technology created the opportunity to restructure the healthcare industry around accountable care organizations, but ACOs also put new demands on IT.