Web designer Chris Watterston put it best when he created a sticker that went viral: “there is no cloud, it’s just someone else’s computer.”
It’s that very issue that makes the cloud both appealing and unappealing to healthcare providers. It’s appealing because it provides the scalable, usable storage for the expanded needs of today’s healthcare market, including the storage of large genomic files and digital imagery. Few providers can store this kind of data in-house – and so, they use the cloud.
Ed Cantwell, executive director, Center for Medical Interoperability says people get tripped up with who accesses the cloud, and how. “They think, if it’s in the cloud, it’s a free-for-all. But that’s not the case at all,” he says. “I’m not so sure if a hacker cares if you are in the cloud or locked in a vault. If you’re in the cloud, you’re still located somewhere physically.”
Security is definitely a theme behind cloud concerns. James Custer, director of product development at Yorktel, says when it comes to the cloud, fears about HIPAA compliance are front and center.
“There is always this huge hesitation when the cloud is discussed,” Custer says, which is why the paperwork and sign-off to using the cloud can sometimes take a healthcare organization up to a year. But despite the difficulties, the cloud has really served smaller hospital systems well that can’t afford their own infrastructure. “The cloud has been huge for them,” he says.
Ray Derochers, executive vice president of HealthEdge, a cloud host company that serves mainly health insurance companies, says despite any initial hesitancy, most large insurance companies are moving to the cloud.
Beyond security issues, there is also the need to decide what information to move to the cloud. Because of the confidentiality and complexities of the insurance business, there is no way all the data is going to the cloud, Derochers says. Because of this, “people are afraid to take a bold position. They don’t comprehend all the moving parts.”
Tips for managing cloud technical and security issues
David Furnus, the site information security director at Stanford Health Care – ValleyCare says, “the cloud isn’t impervious to attack; that’s a given.” But knowing that can help to ensure protection.
Furnus suggests engineering resilience into systems and applications. This means “to expect we will be breached and to be prepared to detect, contain, and correct the breach as quickly and as effectively as we are able.”
The security of data transmission to and from the cloud is “a non-issue,” Furnus says, if the cryptographic controls being used meet or exceed the requirements of the Federal Information Processing Standard Publication 140-2, (FIPS PUB 140-2), a federal government computer security standard used to accredit cryptographic modules.
According to Furnus, providers should only consider using the cloud if the cloud host, at a minimum, uses the Federal Risk and Authorization Management Program (FedRAMP), a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. In addition, the cloud provider should “be subject to the successful negotiation of other client-specific security requirements.”
Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS), North America, says there are a number of things to look for when selecting a cloud provider.
First, make sure the cloud host will offer access to the data on-demand, with few interruptions. This is critical to healthcare. Does the host have a good track record of making the data available during business hours? Cloud hosts schedule down time for maintenance, but do they also have frequent unscheduled downtime when physicians might need records for patients? Ask colleagues who have used the cloud provider. “Don’t believe what marketing people say on the website; it’s so much more than that,” Kim says, who advises getting any kind of promises or assurance of medical record hosting in writing. Chances are if it’s not in writing it might not be part of the agreement.
Get a copy of the cloud host’s last risk assessment to see how well they are doing with security, Kim advises. Check to see what controls they are using in terms of security. A good rule of thumb when it comes to cloud security, “sometimes you get what you pay for.”
Be wary of small start-up cloud services, he adds. Will they be around in a year? Many venture capital firms own cloud companies temporarily, planning to sell. With a large cloud provider that has been in business for 10 years or more, there’s a little more assurance they will be in business a while, Kim says.
Check out the company’s customer service capability. Sometimes it’s limited. “In this day and age, it can make a world of difference what the customer service is like. If the company isn’t responsive and keeps kicking the can down the road, that’s not good, especially, when it comes to caring for patients,” she says. “Physicians can’t fight with the technology and take care of patients at the same time.”
In terms of managing the risk after you have legally bound yourself to a cloud company, Kim says to make sure someone in the organization is keeping up with them, serving as a liaison.