Menu HSTpathways

There is still quite a bit of uneasiness about cloud environments in healthcare largely due to a limited understanding or general misinformation of what is involved.

Why should healthcare providers care about the cloud?

Many healthcare organizations are moving away from the business of information technology (IT) and data centers.  Their central focus is not on IT, but rather on improving health and saving lives in their communities.  A true cloud environment ensures 99.999% uptime, built in disaster recovery, no VPN or Citrix overhead cost, and is available anywhere, any time.  Healthcare organizations that continue to own and manage physical hardware are finding themselves with big challenges!

With a secure cloud-hosted environment, the likelihood of a data breach is eliminated. 

Owning and managing hardware onsite in a healthcare facility opens up risks on many levels.  The first risk is the potential for the physical hardware to be compromised because of either (1) a hardware failure resulting in lost data, or (2) the potentially worse scenario of physical loss of storage devices containing patient health information (PHI).  Recently, Health Insurer Centene Corp., a St. Louis-based Medicaid company, lost 6 hard drives containing sensitive information for up to as many as 950,000 beneficiaries1.  Having physical hardware onsite leaves a healthcare facility vulnerable to HIPAA security breaches. The "[HIPAA] Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information," as defined by the U.S. Department of Health and Human Services2.  The law also specifies that a facility can be fined up to $50,000 per violation and responsible parties could serve 1 year in jail.  It is critical to note that  "unknowing" is not an allowable exclusion from civil penalties. 

Costs associated with owning, maintaining, and replacing aging hardware is also an issue.

The average server life is 3-5 years, after which new hardware needs to be purchased.   Additionally, server software licenses need to be renewed.  Typically, there an outside vendor is brought into "wipe the servers" clean of all patient health information.  Not performing the necessary maintenance and upgrades can leave the facility vulnerable to hardware failure.  Losing years of patient health and financial data due to data corruption or a complete hardware crash is potentially a catastrophic record loss and business disruption.  The value of such an event is difficult to gauge, but certainly losing accounts receivable data or electronic health records is significant.    A secure and true, cloud-hosted environment provides business continuity, HIPAA security, and virtually eliminates most, if not all, onsite hardware requirements.

Accessibility is the last challenge of having physically-owned hardware versus storing the data and application in the cloud. 

As a standard offering, a secure cloud application can be accessed anywhere via secure authentication and data encryption, much like online banking.  This limits the vulnerability of the facility due to data hacks into the networks.  Optimal sharing of data among users who are likely to physically reside in different locations is simultaneously provided.  The way many facilities overcome sharing data across locations with a centralized server is through a secure VPN connection or through the use of Citrix services.  The cloud, VPN, and Citrix offer the same level of access, availability and security; however, VPN and Citrix come at a much high cost for the additional layer of software, additional servers and infrastructure, plus the added IT Support costs to maintain the infrastructure.

The cloud architecture and security requirements have evolved to the point of being a mature and reliable standard.

Proof of this statement is evidenced by the widely adopted use of services like online banking, Apple Cloud, Microsoft OneDrive and Azure, Google Drive, Amazon Cloud Drive.  These and many other tools are leverage by users every day to make both their personal and professional lives more convenient and readily available, no matter where they are.  In so many industries outside of healthcare, the cloud environment is the industry’s standard for storage and data security.  Healthcare has historically been slow to adopt technology, and the delays often come at a higher operational cost as well as a higher HIPAA Security risk. 

Here are 5 things to look for when evaluating a cloud-hosted software solution for your healthcare facility:

  1. How much scheduled and unscheduled downtime did the vendor have in the last year?
  2. What physical security measures are in place for the cloud-hosted environment?
  3. How is the PHI data encrypted across data transmissions?
  4. Can the application be accessed anywhere and at any time?
  5. What is the process for failover and disaster recovery?

The most important thing is to choose a vendor that has a proven track record.  Take the time to do the due diligence on each.   Determine your organization’s security risk tolerance level for each of the applications.  The organization’s decision on whether to be risk adverse or to have some risk tolerance (dependent on the application) will help to sort through the various solution offerings.  Also, look for native data encryption because it allows for the capabilities to securely access health data anywhere. 

In summary, there are many benefits of a cloud-hosted environment across all industries.  For healthcare, moving to a cloud-hosted application rapidly mitigates potentially costly catastrophic data breaches as well as business disruptions.

 

Site References:

1 Powderly, Henry (2016, Jan 26). Centene loses hard drives with health info on 950,000 beneficiaries, launches search.  Retrieved from http://www.healthcareitnews.com/news/centene-loses-hard-drives-health-info-950000-beneficiaries-launches-search?mkt_tok=3RkMMJWWfF9wsRonuqrLdu%2FhmjTEU5z17%2B4rXK%2B3hYkz2EFye%2BLIHETpodcMTcBkN7%2FYDBceEJhqyQJxPr3MLtINwNlqRhPrCg%3D%3D>

2U.S. Department of Health and Human Services. (n.d.) Summary of HIPAA Security Rule. Retrieved from http://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html