Share By Kathryn Doyle
There’s been a lot of talk about “the cloud” in healthcare over the last year, with critics largely skeptical of the security of storing sensitive patient information in a nebulous, poorly understood remote “area.” The cloud consistently ranks high on a list of security concerns, even for some technology experts.
“The perception is, with cloud services we don’t know where our data is at, we don’t know what’s running the workload or where the servers are,” said Ken Bradberry, chief technology officer at Xerox Healthcare Provider Solutions.
But that comes down to a communication failure, not security vulnerabilities with the cloud, Bradberry said.
“Anytime you take such a generic approach to explaining such a complex architecture, you’re going to create a whole lot of doubt.”
“And that creates discomfort with a lot of Chief Information Officers, thinking if I don’t know where it is, how can I manage it, how can I trust this environment, because I don’t understand it,” he said. “What we find is cloud services are as secure if not more secure than most conventional offerings because of their very nature.”
Extensible, Flexible, Affordable
“Anytime you take such a generic approach to explaining such a complex architecture, you’re going to create a whole lot of doubt,” Bradberry said.
Cloud storage and data management is too often explained incorrectly, with vague references to remote servers and “virtualization,” he said. Even the name, “the cloud” conjures images of ephemeral vapors, shifting, out of reach, and transparent.
But what is the cloud, really?
Technically, the cloud is the Internet. When you use the cloud (like when you use Gmail, Netflix or Pandora) you’re accessing data that isn’t actually stored on the hard drive of your device, the data is stored on the Internet.
That doesn’t mean there are no physical storage drives involved; Google, Netflix, Pandora and healthcare cloud services all have physical servers. You may not know where they are, but they hold your data, like Electronic Health Records.
The “cloud” can actually refer to many different things.
There’s nothing theoretically that makes the cloud any less secure than conventional storage, except that the physical server is now farther from you on the Earth. It’s one step above your own hard drive because you can access your data from anywhere, on multiple devices, and if one device crashes you don’t have to worry about losing that data.
For instance, if a hospital’s system is big enough, it might have a private cloud service, which means the hospital owns the servers and decides where to keep them, further reducing the security risk.
Public vs. Private
Another reason “the cloud” has a bad name for this type of data management is that it can refer to so many different things, Bradberry said.
“If I’m a large system, I’m going to use a solution that has cloud attributes: extensibility, flexibility, affordability,” he said. “I’m less likely to go out to the public cloud, to have resources pulled across the Internet.”
“If I’m an ambulatory clinic with a smaller scale, I’m more likely to leverage something across the public Internet that is encrypted and VPN secured.”
Good hybrid solutions will incorporate standard security measures, such as identity management, multifactor authentication at sign on, biometrics or proximity cards.
Public and private models have their individual costs and benefits, but ultimately larger systems tend to go with private solutions, and smaller systems use the public Internet cloud. Neither are particularly insecure, Bradberry said. And most systems end up finding a solution with elements of public and private in a mix that makes sense.
“Most of what people are actually using are hybrids,” he said.
“Most of your security breaches have nothing to do with cloud services, they have to do with poorly secured networks and poor data management, because you’re allowing a physician to access 10,000 patient records on a laptop and that laptop gets stolen,” he said.
Currently, things are looking up for the cloud in healthcare, and acceptance seems finally to be turning a corner. The implementation of the HIPAA Omnibus rule makes cloud services even more secure by holding third-party server providers responsible for securing and encrypting personal health information, taking some of the pressure off of healthcare providers.