Melpomene - Fotolia
The Meditech EHR is moving to the public cloud.
The vendor is working in collaboration with Google Cloud Platform to make the most recent version of its EHR, Expanse, available through the public cloud. Meditech is not alone in its embrace of the public cloud. In late July, EHR vendor Cerner named Amazon Web Services (AWS) as its preferred cloud provider. Indeed, Epic is the only major EHR vendor yet to partner with a public cloud vendor. But one expert said it's just a matter of time.
Partnerships between EHR vendors and public cloud providers could bring a mix of benefits and challenges to healthcare organizations. A public cloud option for the Meditech EHR means Expanse customers could give up hosting, supporting and maintaining the EHR on premises. Meditech could also provide more cybersecurity resources to their customers.
Yet hosting patient data off site means a healthcare organization has less control when it comes to system maintenance or if an issue occurs.
Security of EHRs in the cloud
Cloud is a big part of the future of healthcare, yet it was only a few years ago when the technology was seen by CIOs as a "security and compliance" nightmare, said David Finn, executive vice president of strategic innovation at healthcare cybersecurity consultancy CynergisTek Inc.
When the HIPAA Omnibus Rule of 2013 went into effect, Finn said it drove a lot of change and has made the cloud as secure as a hospital data center. The rule required business associates like cloud vendors to comply with HIPAA, as well as be liable for their own breaches.
Jeff Becker, senior analyst at Forrester, sees backup and disaster recovery as the primary driver for cloud adoption by healthcare organizations. Health systems want a fully redundant data backup "off site and in the cloud," he said.
In a press release, Meditech stated the public cloud will play a role in helping healthcare facilities increase their security efforts and ability to fight ransomware attacks, something Finn sees as a distinct possibility.
Cloud vendors like Google and AWS will be more focused on security issues and have greater resources to address cybersecurity. Yet moving EHRs to the cloud could present new privacy and security risks, especially around tools like APIs, something the federal government is pushing to make healthcare systems more interoperable and patient data more accessible, Finn said.
The Office of the National Coordinator for Health Information Technology (ONC) proposed information blocking and interoperability rules in February that would require health systems to use FHIR-based APIs. FHIR is a set of standards for sharing data electronically, while APIs allow systems like a hospital EHR and a patient's mobile device to talk to one another. Finn said his concern is ONC has yet to put forward security standards for APIs, meaning a patient could accidentally open the door to a negative cybersecurity event.
"I would like to see us have some base standards around APIs, around the devices, if we're going to use public cloud for connecting," Finn said.
Finn is also concerned about an outside vendor controlling patient data storage. With data in the public cloud, decisions such as when to update software or emergency maintenance incidents would be out of a healthcare organization's control.
Becker said there is also a broader privacy concern associated with a company like Google, which built a business off of user data and ad personalization. The company has a tainted reputation when it comes to privacy stemming from incidents such as the University of Chicago Medical Center lawsuit from earlier this year.
The lawsuit alleges the University of Chicago Medical Center sent thousands of patient records, including doctors' notes, to Google without stripping identifiable information. In August, both Google and the University of Chicago Medical Center filed motions to dismiss the lawsuit, which was filed by a former University of Chicago Medical Center patient.
Despite the tricky area of data sharing, one of the main benefits the public cloud provides is enhanced security, especially for smaller hospitals and clinics. Meditech's partnership with Google could expose a healthcare organization to stronger security tools than it could build and maintain on its own, according to Becker. He pointed to DCH Health System in Alabama, a recent victim of a ransomware attack and a Meditech customer, as an example.
"It's three community-sized hospitals in rural Alabama," Becker said. "They don't have the capital to hire the kinds of cybersecurity experts they would need to perpetually protect their data center from increasingly complex and sophisticated ransomware attacks. But Google does."
Moving Meditech EHR to the cloud
One step further, Becker said that by selecting Google as its cloud provider, Meditech is positioning itself to "pursue innovation" within its own product line. The partnership could also help Meditech support its customers' pursuit of innovation, Becker said.
Healthcare organizations can't always hire the data scientists they would need to advance their operations. Becker pointed to machine learning as one example. Experts could build algorithms using hospital data to implement within clinical workflows, but are hard to find and come at a steep price tag. Google has resources like those in spades, he said.
Jeff BeckerAnalyst, Forrester
"You're getting access to cybersecurity experts, data science experts, AI experts and top tier technology talent," Becker said.
Through its partnership with Google Cloud Platform, Meditech has plans to develop native cloud products and APIs, according to the Meditech news release. Google Cloud Platform will feature additional options aligned with "Meditech as a Service," a monthly subscription service to Expanse, according to the release.
"Google's got the right vision, they've got the right technology, they've got an appetite for innovation, and Meditech has all of those things as well," Becker said.
EHRs moving to the cloud
Meditech is far from alone in pushing toward a public cloud. In July, Cerner expanded its relationship with AWS to accelerate the use of artificial intelligence and machine learning, as well as enhance clinical experiences and lower operational burdens for health systems.
The one laggard is Epic, Becker said, but he doesn't expect Epic to be out of the public cloud game for long. The Epic EHR is already cloud-based, and because Epic has worked with Microsoft in the past, Becker expects Epic to announce a partnership with Microsoft Azure within the next three months.
"Epic built their population health platform on Azure, Cerner built their population health platform on AWS, and Meditech has been a back-office Google client for years," Becker said. "These relationships are already established. You can kind of tell where everyone is headed and it's just a matter of time before they're going to decide they're going to make that public."