Health care institutions of all sizes are facing a common IT forecast -- plenty of clouds on the horizon. Smaller practices are finding it economical to do away with their own modest IT operations and rely on cloud service providers for electronic health record (EHR) services, while larger institutions are building internal, private health care clouds. Either way, it's a new paradigm that calls for infrastructure preparedness.
An organization partaking in cloud-based EHR services will probably find that the simpler it is to access, the better. Small practices are attracted to cloud service providers because they don't want to own and manage their own servers or deal with complex desktop interfaces that require client setup and user training.
Dr. Medhavi JogiHouston Thyroid and Endocrine Specialists
"We didn't have a lot of space. We didn't want to house a server or pay an IT guy," said Dr. Medhavi Jogi of Houston Thyroid and Endocrine Specialists. Seeking simplicity, Jogi opted for Centricity, a cloud-based EHR service from the health care division of General Electric Co., when he launched his practice in 2009. "It's just an icon on a desktop or laptop. You just need a password," he said, adding that his practice did not need to implement a virtual private network (VPN) to support Centricity.
That said, organizations must ensure that client systems are supported by the hosted service. In most cases, cloud services are intended to work with Windows PC client systems. But that's changing, thanks to the popularity of the Apple Inc. iPad.
Dr. Kenneth Luckay, of Luckay Doc LLC in Troutville, Va., uses Nimble, a cloud-based EHR service from ClearPractice LLC, on his iPad. "I find the iPad very helpful for going to hospitals and nursing homes," he said.
Health care cloud users must be proactive
Since using a public cloud service makes one dependent on the provider, it makes sense to inquire about the resiliency of the provider's network. For example, find out whether the provider has a disaster recovery site and, if so, whether it is far enough from the primary site that a single disaster would not affect both locations. It's also important to find out when the provider conducts data backups and how often. Some provide storage only as infrastructure, not as a service, and therefore leave clients to back up their own data.
"If the Internet goes down, we can't do anything. That's a big problem. I wouldn't be able to access what I need," Jogi said. Given this feeling of insecurity, the size of GE was a major selling point to Jogi. Still, he remains concerned about network outages and is looking to add a back-up Internet link. Right now, his backup is paper records that are kept in a locked cabinet.
Jogi is also concerned about sudden upgrades on the part of the cloud service provider that could create surprises, including incompatibilities. "You want to make sure your vendor doesn't upgrade without your permission," he warned.
Addressing cloud security concerns
When a public or private cloud service is used, data leaves the user's premises and is outside the user's control. Even with sound security technology and policies in place, there is still cultural resistance to allowing data to depart.
Mark McCuin, president of Pathagility LLC, a Little Rock, Ark.-based provider of Software as a Service reporting and workflow management systems for pathology labs, said cloud-based SaaS offerings have been slow to catch on in health care because medical professionals fear a loss of control over security and availability when data is not physically on their site.
Equally challenging is the reluctance of health care IT end users to embrace the discipline that data security requires.
"Physicians don't like the rigors of security because that slows them down. They don't like entering a user name and password," said Tom Whalen, core infrastructure team leader at Aspirus, a health care organization based in Wausau, Wis.
What follows are three key security recommendations for health care organizations making the move to a cloud service provider.
Secure the perimeter. Whether connecting to a public or private cloud, the first step for security is to authenticate each person accessing the system with a username and password. To overcome physician resistance, Whalen, who has built an internal cloud environment at Aspirus, has begun to implement radio frequency identification (RFID)-based smart badge technology that automatically logs in a user. From there, the user only has to input a personal identification number (PIN).
"For both security and compliance, we adhere to strong access policies," Whalen said. In addition, Aspirus is considering end-point protection tools from vendors such as Symantec Corp. to prevent activities such as unauthorized writes to removable media like USB drives.
Encrypt. Medical practices must also consider the level of security on their local network. HIPAA requires medical information to be encrypted in transport or in flight. That includes Wi-Fi network encryption. HIPAA also requires storage encryption, when data is at rest. As a result, health care organizations must implement encryption in their private cloud or obtain assurances of encryption from cloud service providers.
"Encryption is starting to become more and more relevant. We're now encrypting our backups -- we didn't do that before," Whalen said. Aspirus is also interested in in-flight encryption capabilities from EHR vendor Epic Systems Corp.
Ensure compliance. One issue that cloud-based EHR services are running into is the willingness of hosting services to offer guarantees of reliability and HIPAA compliance.
"Health care is a different animal because of the mission-critical nature of those applications," said Patti Dodgen, CEO of Hielix, a health IT consultancy in Tampa, Fla. "Most of the smaller managed service providers aren't provisioned to be that bullet-proof. They won't offer enough assurances."
A mere statement of HIPAA compliance is not enough, either. Before a health care organization signs a contract with a cloud service provider, it must make sure that the provider's HIPAA compliance strategy is strong enough to stand up to an audit. Special attention in particular must be paid to who will be held responsible in the event of a data breach.
Stan Gibson is a Boston-based contributing writer. Let us know what you think about the story; email firstname.lastname@example.org.