Posted by: Jenny Laurello
Cloud, Cloud computing, Data breach, EHR, HIE, HIPAA, HL7, IEEE, SaaS, storage as a service, virtualization
You may recall a Joni Mitchell song from the 1970s about “looking at clouds from both sides now,” in which the singer concludes that, “I really don’t know clouds at all.” If you’re involved in health IT these days, you’ve probably felt this way yourself at one time or another.
Cloud computing has had limited acceptance in many market sectors, particularly healthcare, despite its relentless promotion over the last five years. The initial optimistic estimates of the cloud computing market size have been scaled back to more realistic numbers. Reports of data loss and security breaches have discouraged many potential customers — especially in the healthcare sector, where privacy, security and reliability are primary concerns — and shifted the focus from the public cloud (i.e., the Internet) to private clouds implemented as secure private networks. A recent poll indicated that while 37% of healthcare providers included cloud computing in their strategic plans, only about 5% had actually implemented a functional cloud platform.
Part of the cloud’s image problem is that it’s not really an architecture — it is a “marketecture.” A glimpse inside the cloud reveals the primary technology underlying cloud computing is virtualization — providing the user with a segment of platform, infrastructure, software, or storage for their exclusive use. Some of these services like software as a service and storage as a service may offer significant advantages, especially for small and mid-size healthcare providers who cannot afford the services of a full-time IT department. But the fundamental requirements for any healthcare-related application — privacy, security, reliability — need to be considered in selecting a vendor.
One option is to obtain these services from an HIE. HIEs were originally developed to enable healthcare providers to share medical records and related patient data. Since HIEs are designed to handle protected health information, they are required to support common health information technology protocols such as HL7, and to conform to HIPAA privacy and security regulations. Many state and regional HIEs are already in service; however, developing a business model that provides a consistent revenue stream has been problematic. HIEs looking for a sustainable business plan may want to consider offering virtualized services to small clinics and private practices that don’t have, or can’t afford, a full-time IT staff. Some of the services that could be offered include electronic health records (EHRs), identity management, data backup, and business analytics.
One of the issues that arises when healthcare providers negotiate with third-party vendors is ownership of data from a legal standpoint. HIPAA and the title XIII breach disclosure portion of the HITECH Act require that the vendor operate under the same “umbrella of security” as the healthcare provider itself. Negotiating a contract with a vendor unfamiliar with the details of HIPAA and breach disclosure can be difficult. One advantage of dealing with an HIE as a vendor is the ability to use a standardized agreement called the data use and reciprocal support agreement (DURSA), which spells out the details of data ownership, access, and reporting responsibility for both parties. The details of a DURSA agreement can be customized to suit the needs of a specific provider/HIE relationship.
Finally, there are some basic questions healthcare providers need to ask when contracting for virtual services:
- Where is my data being stored? What is the physical location of the data? What backup technique is being used?
- What security features have been implemented? Is authentication performed for both clients and servers? Is the entire service HIPAA compliant?
- How is privacy enforced? Who else has access to my data?
- Is the EHR certified, standards-based, and interoperable? Will it enable me to meet meaningful use criteria?
While we can’t guarantee that this approach will cause the clouds to part and the sun to come out, asking the right questions of the right vendor will put you on the path to secure and cost-efficient use of virtualized services.