|Cloud Computing has Been Playing A Larger Role in Healthcare, but what is Its Security Profile? by John Degaspari|
As more provider organizations look to the cloud computing model, they face a host of security-related questions. What are the appropriate applications for the cloud, what is the best cloud model, and what do they need to know to choose the best vendor? Hospital CIOs and security experts weigh in.
It’s worth noting that compared to all of the business sectors surveyed, healthcare organizations take the most security measures, according to Nathan Coutinho, manager of enterprise server, storage, and virtualization solutions for CDW, which he attributes to federal HIPAA mandates. Indeed, proposed rules from the Department of Health and Human Services’ Office of Civil Rights pose questions around auditing of data that is stored on a vendor’s cloud service, and some see more rigorous enforcement under HIPAA, including random audits of privacy and security safeguards by providers and their business associates.
IN THE CLOUD, I CAN’T NECESSARILY TELL YOU WHERE EVERYTHING IS. IT’S THAT UNCERTAINTY THAT CREATES THE GREATEST ANGST. –DAVID MUNTZ
PUBLIC OR PRIVATE?
The very term cloud computing, a catchall phrase that embodies various models, has led to confusion in the marketplace, according to David Muntz, senior vice president and CIO of the 14-hospital Baylor Health System in Dallas: “The term confuses people, and it creates, in some people, a sense of comfort that they can put information on the cloud, get services out of the cloud, and not have to know where anything is coming from.” His concern goes to the heart of security issues of the cloud. “In the cloud, I can’t necessarily tell you where everything is,” he says. “It’s that uncertainty that creates the greatest angst.”
Mac McMillan, chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy Steering Committee, believes that cloud security is an important issue that deserves more attention-so much so that last spring his committee decided to set up a workgroup to focus on the issue. “There are a lot of people knocking on people’s doors promising savings ‘if you move your stuff on to my cloud.’ We need to find out what ‘my cloud’ means,” he says.
The cloud’s distributed model of storing data in a way that does not associate the storage device with the application server itself is a smart approach for healthcare organizations, McMillan says. Because the data can be distributed, hospitals can reduce the amount of storage hardware it needs to support its environment, he says.
All of that, of course, hinges on choosing the appropriate cloud model-and reliable vendor-that will maintain the security of the data. There are a variety of cloud models that fall within two extremes, notes McMillan, who is also CEO and owner of CynergisTek Inc., an Austin, Texas-based IT security firm. And job number one for health providers considering the cloud is to identify the type of cloud that they may be doing business with, he says.
At one end is the truly distributed model, in which the cloud vendor is essentially an aggregator with contracts to other cloud vendors that have excess capacity in their data centers and are willing to lease it out. That model is high-risk, because the customer has no control over where the data is stored and there is probably no way to audit the data, he says. At the other end are large data centers owned and operated by a single cloud vendor. That model is far more secure, is compliant with the Statement on Auditing (SAS)-70, physically protects and monitors data, and allows data to be audited, even though it is distributed within the facility, he says. And, if one does not want to go the third-party route, an organization can build and operate its own cloud.
The second consideration for potential cloud users is to understand who has access to the data, McMillan says. Multiple customers can have their data stored on a given server and still have the data segmented on that server. How the data is being managed in the environment, what level of access by the health organization is being deployed, and what level of audit is being used to make sure that one customer does not have unauthorized access to the data of another customer should be part of the vendor’s evaluation, he says.
Fortunately, there is good information available that can help healthcare providers ask the right questions. One source is the Cloud Security Alliance, a group that has published documents that can help organizations make informed decisions about if, and how, to employ cloud computing services and technologies.
Third, and specific to the healthcare industry and health provider organizations, newer requirements that have come under the Health Information Technology for Economic and Clinical Health (HITECH) Act, could be more challenging, depending on what type of information gets put on the cloud, McMillan says. For example, the proposed Accounting for Disclosures rule by the Department of Health and Human Services’ Office for Civil Rights, poses questions around auditing of data that is stored with a vendor’s cloud service, depending on how that data is managed.
MOVING PHI TO A PLATFORM THAT IS UBIQUITOUS TO MANY INDUSTRIES OR INDIVIDUALS RAISES THE LEVEL OF CONCERN. –RICK SCHOOLER
PHI: A SPECIAL CASE?
Rick Schooler, senior vice president and CIO of Orlando Health, a six-hospital, 1,780-bed system in Central Florida, says the cloud has become an acceptable risk for certain types of software, infrastructure, and storage services, such as image storage or revenue cycle data used for business intelligence analytics. In those cases, particularly where the cloud vendor specializes in one type of service, security is less of a concern, he says.
The cloud gives pause to many health providers when it comes to protected health information (PHI). “That’s a bridge that not many have crossed in the healthcare world,” he says. “Moving PHI to a platform that is ubiquitous to many industries or individuals raises the level of concern.” That doesn’t necessarily mean that it is off limits, but it does mean that more precautions have to be in place to protect privacy, he adds.
Orlando Health is currently in the process of evaluating whether or not to take that step, he says. Among the issues it is looking at is whether the cloud vendor stores data, what is the data environment, how data is backed up, how backup data will be made available should the primary system fail, and whether there is a bridge in place to retrieve data. “A robust assessment needs to be done before putting your neck on the line. The performance has got to be there. You need assurances that you are not going to lose data, and if they do, how will you get it back.” With PHI, it is essential that the cloud provider is experienced working with healthcare data and can demonstrate that it is capable of protecting it.
David Muntz, who views PHI as sacrosanct, says that Baylor does not store PHI on the cloud. “The data that is collected by the physician is really under that sacred trust. If I am responsible for storing that data, I want to make sure that I am protecting that sacred trust,” he says. In his view, that means storing the data on Baylor’s own servers.
That is not to say that Baylor does not use the cloud at all. “We are users of outsourcing services, and we do use SaaS [software as a service],” he says. He personally would prefer another metaphor that better characterizes its real benefit: to buy storage, infrastructure, or services as needed. In his view, the concept of the cloud, a term he finds too nebulous, is not so different from the concept of an application service provider, and he requires the same kinds of assurances from both.
Muntz uses a three-tier model for contracts with third-party vendors. That model mandates that they meet Health Information Trust Alliance (HITRUST) standards; meet SAS-70 requirements; or be willing to permit unannounced audits of their data centers. “If you can’t do one of those three things, I am not going to do business with you,” he says firmly, adding that those requirements are “appropriate for the type of information that we are housing,” he says.
TWO CLOUD-BASED EXAMPLES
One example of a healthcare provider that has opted to partner with a cloud-based electronic health record (EHR) service is Cook Children’s Health Care, an integrated pediatric delivery system based in Fort Worth, Texas. It also does a million outpatient encounters a year, according to Ryan Champlin, Cook Children’s vice president of operations.
The hospitals use an EHR solution from Meditech, Westwood, Mass. In addition to Meditech, Cook Children’s was searching for an outpatient billing solution that could be used by its physician groups. It chose a cloud-based EHR platform from athenahealth Inc., Watertown, Mass., participating in a pilot initiative that connects athenahealth’s EHR solution with Microsoft’s Amalga database solution.
Champlin describes the combined solution “cloud-to-ground-to-cloud.” On the outpatient side, all of the physicians do their business operations and electronic medical records in the cloud with athenahealth. That data gets consolidated in Amalga that extracts data from any digital source and maintains it in an unstructured format until it is asked a question. It then gets pushed back out to the cloud, where health information is available to patients through Microsoft’s HealthVault online platform for collecting, storing, and sharing PHI, Champlin explains. Cook Children’s went live with the combined solution in February.
THE PRIVATE CLOUD IS THE CORRECT MODEL FOR HEALTHCARE AT THIS TIME AND MOMENT, WHERE THE REGULATIONS ARE AND WHERE I SEE THEM DEVELOPING. –ANDY FUSS
Champlin says he is confident that the patient data is secure with athenahealth, which is SAS-70 certified and submits to third-party audits (by Deloitte). In his view, the cloud solution positions Cook Children’s well for HIPAA audits. “I can tell you who looked at any record in Athena, on what day and time, and on which computer they looked at it. Athena has an audit trail, and I have an audit trail; it’s clear where people should be and where they shouldn’t be.”
CharterCARE Health Partners, a 579-bed, two-hospital health system based in Providence, R.I., has taken a different strategy, opting for a private cloud model and virtual desktop infrastructure. The health system’s assets are fairly far-flung, with two acute-care hospitals, a primary care center, and a nursing home and about 40 outreach facilities around the state, as well as two datacenters located 100 miles apart.
Andy Fuss, the director of technology and engineering for CharterCARE, says the private cloud is “the correct model for healthcare at this time and moment, where the regulations are, and where I see them developing.” The model allows him to see where all his data is, while remaining under his control, and he is able to provide what he needs to auditors, he says.
To tie the disparate pieces together, the provider opted to build a private cloud (using a software platform from EMC Corp., Hopkinton, Mass.) that it operates for its own use. The private cloud links the two datacenters virtually, Fuss says. The data is “locked down, physically secure as well as cyber secure.” All of the remote locations run off the private cloud with network connections, he says.
In the private cloud setting, security is under his control, Fuss says. “All data in transit is encrypted; all data is point-to-point; all data is within the network structure. At no point is it leaving the network, going someplace else, and coming back in.”