• Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle
  • Digital Health
    • Artificial Intelligence
    • Blockchain
    • Mobile Health
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
    • Mergers & Acquisitions
  • Value-based Care
    • ACO

Is Your Health Data More Safe or Vulnerable in the Cloud?

by Richard Sullivan, Chief Operations Officer at Medsphere Systems 04/03/2018 Leave a Comment

Share with your friends










Submit

Medical Records_Healthcare Data_Health Data

The illusion of control is tempting, even intoxicating. It’s also a common characteristic that almost all humans manifest to one degree or another as we work to satisfy competence motives, the need for security, survival instincts.

Because proximity often feels like control, it might also get in the way of secure healthcare IT.

“Files stored in reliable cloud services are some of the most secure files you can have, provided you have good passwords,” says software engineer John Miller, PhD. “Google, Microsoft, and Amazon all provide reliable cloud services for consumer file storage.”

What, in particular, makes cloud storage superior, according to Miller?

– Redundancy: The chances of losing the same data saved in at least a couple of different places are low.

– Security: Keep passwords and access to local machines safe and you’re in good shape. Data centers are not easily hackable and very difficult to physically penetrate.

– Safe Sharing: You can give trusted individuals read access to data without having to deal with security risks like thumb drives and file copies.

Still, it’s a mistake to think that Amazon or Google can be entrusted with all security precautions. Your healthcare IT vendor is an active player in making sure your particular system is secure. When shopping vendors or considering a move to the cloud, have a conversation that includes these specific concerns:

Risk: How much risk will you be comfortable with? While you could choose to lock your system up tight, there is a tension between system security and ease of access. Find a balance between the two. In striking that balance, ask for assessment process documentation that includes establishing a risk threshold and effectively managing potential security issues related to third-party vendors.

Cloud Security Tools: It’s not wise to rely exclusively on cloud vendor security, but it is also unwise to reject any inherent security they provide. Document succinctly what is part of the cloud service and what your healthcare IT vendor layers on. Two-factor or multi-factor authentication, now widely used, may be one example of a security protocol built into the cloud vendor package.

Responsibility: It will be vital that you ask relevant and pointed questions about responsibility across all three spheres: the cloud vendor, the healthcare IT vendor and your organization. Evaluate documentation that describes what security measures come from each and how they complement one another. It’s critical that you understand whether there are any holes in the security mesh you’re looking to create.

One of the more challenging aspects of moving to the cloud for many healthcare organizations is an uncertainty about what questions to ask. Too often, hospitals and other healthcare organizations may be tempted to just say, “That’s your area of expertise. Make it work.”

Related: 6 Questions for Providers Moving Their Health IT System to the Cloud

It will benefit you in the long run to probe and make your healthcare IT vendor defend and quantify their security approach.

And what, at a minimum, should that approach include?

1. A Design Philosophy

It may go without saying that your healthcare IT vendor has had to work HIPAA and HITECH considerations into their design approach, but you will still want to see documentation detailing exactly how. Protecting patient data, for example, will require that your data be isolated via network layout from other customer instances. Live and back-up systems should be geographically separate in case of catastrophe. And network access controls should be layered at multiple levels so easy access is impossible. Again, find the right amount of tension between access and security.

2. Access Control

The security of your system will be preserved because everyone in your organization adheres to access protocols. Communication between the clinical site and the cloud location should be transported via an IPsec virtual private network (VPN). End users will transparently use the VPN to access system applications in the cloud. Multi-factor authentication for user access and constant system monitoring are both big steps toward a system that’s hard to breach.

3. Encryption

Make sure that your patient data is encrypted both in transit and at rest, i.e., when it’s sent across the VPN and when it is stored in the cloud. All operational, backup and log data should be encrypted using, at a minimum, the FIPS 140-2 compliant AES-256 standard. Ask about the encryption standard and for documentation of the protocol for moving to newer, more rigorous standards.

4. Disaster Recovery/Business Continuity

One of the strongest and most obvious arguments for moving to the cloud is the availability of disaster recovery and high availability backups. While unlikely, a disaster could destroy both the live and backup systems if both are in the same place, so ask if they are geographically distinct. You will want primary-to-secondary data replication to be constant, and hourly system snapshots should also be provided in the event of extreme situations. Also, make sure the disaster recovery site is ready to take over organizational operations at the drop of a hat if necessary.

Ultimately, while cloud security makes your organization no more vulnerable to breaches than you are with an onsite data center, there are better and less good ways to approach the cloud. A hybrid model, for example, of some local servers and some cloud hosting actually creates more vulnerabilities than a strictly public cloud approach. Your goal is to have fewer, not more, access points that could be breached.

“To be fair, much of the common perception of cloud security—or insecurity as the case may be—is just myth. Pervasive myth, but myth nonetheless,” says Tony Bradley at Forbes.

And it’s a myth many organizations now benefit from having banished. So, while you’re cleaning out the closet of long-held but possible incorrect beliefs like the illusion of control, just toss cloud insecurity on the trash heap as well. When managed with the same level of care as local data centers, the cloud offers clear advantages.

 Richard Sullivan is the chief operations officer for Medsphere Systems Corporation, the solution provider for the OpenVista electronic health record.

RELATED:   Despite Deployment Challenges, Healthcare Cloud Adoption Is On The Rise

Tagged With: healthcare cloud, healthcare cloud security, Healthcare Data, Healthcare Data Breaches, Medsphere

Share with your friends










Submit

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

« 5 Healthcare Organizations Launch Healthcare Blockchain Pilot Program
Innovaccer Launches InGraph to Transform Healthcare Analytics »

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Recent Articles

  • Blue Cross Becomes First Health Plan to Offer Direct Integration with PillPack

    Blue Cross Becomes First Health Plan to Offer Direct Integration with PillPack

    -... more
  • Bridge Connector Raises $20M to Solve Health IT Interoperability Challenges

    Bridge Connector Raises Additional $5M for No Code, Health Integration Platform

    -... more
  • ESO Acquires Trauma Registry Software Clinical Data Management

    ESO Acquires Trauma Registry Software Clinical Data Management

    -... more

Most Read

  • Healthcare Breach Report 2016 6 Ways Health Informatics Is Transforming Health Care
  • Blue Cross Becomes First Health Plan to Offer Direct Integration with PillPack Blue Cross Becomes First Health Plan to Offer Direct Integration with PillPack
  • InSight Telepsychiatry. Regroup Telehealth Merge to Become Largest Telepsychiatry Provider in Nation InSight Telepsychiatry. Regroup Telehealth Merge to Become Largest Telepsychiatry Provider in Nation
  • Top 10 Challenges, Issues and Opportunities for Healthcare Executives in 2019 Top 10 Challenges, Issues and Opportunities Healthcare Executives Will Face in 2020
  • Biotia Raises $2.4M for AI-Powered Precision Infectious Disease Detection & Diagnosis Biotia Raises $2.4M for AI-Powered Precision Infectious Disease Detection & Diagnosis
  • State of Patient Access and Engagement The State of Patient Access and Engagement: Consumer Demand Versus Reality
  • Regional Medical Center, Philips Forms 5-Year, $16M Diagnostic Imaging Partnership Regional Medical Center, Philips Forms 5-Year, $16M Diagnostic Imaging Partnership
  • Digital Voice Assistants and the Hospital Room of the (Near) Future Rise of Digital Voice Assistants & The Hospital Room of the (Near) Future
  • Analysis: November 2019 Health IT M&A Activity, Public Company Performance Analysis: November 2019 Health IT M&A Activity, Public Company Performance
  • ESO Acquires Trauma Registry Software Clinical Data Management ESO Acquires Trauma Registry Software Clinical Data Management

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • 2020 Editorial Calendar
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2019. HIT Consultant Media. All Rights Reserved. Privacy Policy |