Even HIPAA not quelling lingering cloud concerns
These days, it seems, data breaches and hacking are regular news in health — and across industries.
The fear of breaches, subsequent fines and reputation loss are among the reasons why some healthcare technology leaders have been hesitant to embrace cloud-based technology writ large. They need not fear, but should be informed, but such fear is certainly understandable.
Indeed, almost 20 percent of healthcare organizations have suffered a security breach, some 804 breaches have occurred with more than 500 patient records between 2009 and 2013, and this summer the hospital network Community Health Systems was hacked, according to a report from the Institute for Health Technology Transformation, or iHT2.
Looking outside of healthcare, there have been frightening breaches of cloud-based data, like the 2011 incident involving Sony’s PlayStation 3 accounts on Amazon Web Services. Then there’s the celebrity photo hacking in Apple accounts, which actually happened through password guessing, not cloud-system hacking, but nonetheless contributes to the fear.
One health cloud skeptic is Chris Logan, chief information security officer of Care New England, a three hospital system based in Providence, Rhode Island. Though the system’s vendor, Cerner, has a remote-hosted EHR, Logan told iHT2 he still prefers a dedicated infrastructure over a multi- tenant public cloud.
“Most cloud vendors have huge servers and are carving pieces up to give to customers. The thing that scares me about that is, what if the controls aren’t in place and my data slips into somebody else’s environment, or their data slips into my environment? What’s the downstream issue there? What’s the effect? It’s significant.”
HIPAA is starting to take care of that, with its most recent update in 2013 specifically defining cloud services as business associates, which have to comply with HIPAA security rules and also take on direct liability for security breaches.
Even with the BA protection, though, there’s still a risk for healthcare organizations. “Your name and your reputation are always at stake if there’s a security breach,” Jeff Pearson, CIO at Trinity Mother Frances Hospitals and Clinics, in Tyler Texas, told the report's authors. “So you have to worry that if you make a poor choice of a cloud vendor, your organization is still going to suffer.”
While there is no undoing bad PR stemming from a breach, health organizations can dig deep into their contracts with cloud vendors and negotiate upward on caps for damages stemming from breaches.
Relatedly, one of the biggest factors to consider in the long-term is long-term subscription cost, according to iHT2. Renting cloud-space may not necessarily be cheaper than purchasing and hosting an internal system.
"Most cloud services are by subscription, and subscription fees come out of our operating budget," David Reis, chief information security officer at Lahey Health, in Burlington, MA, told the researchers. “When we buy a system, we can capitalize that cost and it doesn’t count against our operating budget. So financing these cloud services is a very significant inhibitor. This has been a conversation at Lahey for the 2.5 years I’ve been here. It’s the undiscussed story of the cloud.”
On the flip-side, in-house systems face the costs of downtimes — as much as $264 per minute for a 500-bed hospital.
“Most on-premises systems have downtimes,” said Drew Koerner, chief healthcare solutions architect at cloud service company VMware. “The people who run the cloud-based infrastructure — including us — have got 10 times less downtime than you would have within an on-prem system.”
In the end, healthcare organizations with mixed feelings about the cloud may want to watch their peers — and learn from them.
More than 83 percent of hospitals and health systems are using the cloud for at least some technology, according to a recent HIMSS Analytics survey of 150 organizations. About half are using the cloud for clinical operations, about three quarters are using it for administration and about three quarters are using hybrid cloud services that give them more control over their data but less than the full potential for savings promised by large public clouds.
A bit less than a quarter of the hospitals and health systems surveyed are using the public cloud, which is available to the general public and, according to vendors, can yield savings of up to 40 percent over five years, compared to internal hosting, while private clouds come with savings of up to 20 percent.
Leery health organizations should know, too, that some business throughout the rest of the economy are also waiting before diving in. Less than 40 percent of cloud users across industries are using a public cloud, according to a 2013 survey by North Bridge Venture Partners.