Cloud computing: Can hospitals manage security better than Amazon, Google or Microsoft?
Hospital executives are still concerned about putting health data in the cloud but there is a growing consensus among security specialists that the fears are not as necessary as they once were.
That was among the overarching themes to emerge from the Healthcare IT News Cloud Computing Forum here at HIMSS17 on Sunday.
Nephi Walton, for instance, threw down the gauntlet: “Security concerns about the cloud are valid but I challenge you to look at your own organizations and see how secure they actually are.”
Walton, a biomedical informaticist at the Washington University School of Medicine, posted that to attendees.
That’s not to say storing personal health information or personally-identifiable information in the cloud is a simple matter.
Beaufort Memorial CIO Ed Ricks said that “there’s no such thing as a HIPAA-compliant” solution.
“I always pause when a vendor says they are HIPAA compliant,” added Anahi Santiago, CISO of Christiana Care Health System. “HIPAA is based on risk management.”
Santiago said that risk management requires constant reevaluation of vendors and policies. Chlidren’s National Medical Center IT security director Chad Wilson added the devil is in the details of contracting.
“You really have to build a relationship with that company and understand their framework,” Wilson said.
Ricks, Santiago, Walton and Wilson, it’s worth noting, all already have applications and data in the cloud. Christiana, in fact, implemented a cloud-first strategy for new apps and technologies.
“Anything is doable on the security front,” Santiago said, explaining that Christiana demands certifications such as HITRUST or ISO and looks at SOC II reports, among other policies and procedures, from any vendors they work with.
Kristin Chu, director of information services at the University of California at San Francisco Medical Center said that ultimately providers’ responsibility is not all that much different than protecting data anywhere they store it — but recommended moving cautiously.
“We did it very slowly and vetted it. It was successful over the course of months,” Chu said. “Cloud is key to our future. My advice: Get in and persevere in the process.”
Washington University’s Walton said that many people in healthcare are inhibited by security concerns but don’t even realize how much data they actually have in the cloud already.
“I’m sure people are targeting Amazon, Google and Microsoft but because they get that all the time they’re more prepared to defend against it,” Walton said. “You‘re hard pressed to match the same security as one of these companies.”
HIMSS17 runs from Feb. 19-23, 2017 at the Orange County Convention Center.
This article is part of our ongoing coverage of HIMSS17. Visit Destination HIMSS17 for previews, reporting live from the show floor and after the conference.