Security in the Cloud

July 19, 2011 by John Degaspari

| Reprints

Cloud Computing has been Playing a Larger Role in Healthcare, but what is its Security Profile?

At one end is the truly distributed model, in which the cloud vendor is essentially an aggregator with contracts to other cloud vendors that have excess capacity in their data centers and are willing to lease it out. That model is high-risk, because the customer has no control over where the data is stored and there is probably no way to audit the data, he says. At the other end are large data centers owned and operated by a single cloud vendor. That model is far more secure, is compliant with the Statement on Auditing (SAS)-70, physically protects and monitors data, and allows data to be audited, even though it is distributed within the facility, he says. And, if one does not want to go the third-party route, an organization can build and operate its own cloud.

The second consideration for potential cloud users is to understand who has access to the data, McMillan says. Multiple customers can have their data stored on a given server and still have the data segmented on that server. How the data is being managed in the environment, what level of access by the health organization is being deployed, and what level of audit is being used to make sure that one customer does not have unauthorized access to the data of another customer should be part of the vendor's evaluation, he says.

Fortunately, there is good information available that can help healthcare providers ask the right questions. One source is the Cloud Security Alliance, a group that has published documents that can help organizations make informed decisions about if, and how, to employ cloud computing services and technologies.

Rick Schooler

Third, and specific to the healthcare industry and health provider organizations, newer requirements that have come under the Health Information Technology for Economic and Clinical Health (HITECH) Act, could be more challenging, depending on what type of information gets put on the cloud, McMillan says. For example, the proposed Accounting for Disclosures rule by the Department of Health and Human Services' Office for Civil Rights, poses questions around auditing of data that is stored with a vendor's cloud service, depending on how that data is managed.

MOVING PHI TO A PLATFORM THAT IS UBIQUITOUS TO MANY INDUSTRIES OR INDIVIDUALS RAISES THE LEVEL OF CONCERN. -RICK SCHOOLER

PHI: A SPECIAL CASE?

Rick Schooler, senior vice president and CIO of Orlando Health, a six-hospital, 1,780-bed system in Central Florida, says the cloud has become an acceptable risk for certain types of software, infrastructure, and storage services, such as image storage or revenue cycle data used for business intelligence analytics. In those cases, particularly where the cloud vendor specializes in one type of service, security is less of a concern, he says.

The cloud gives pause to many health providers when it comes to protected health information (PHI). “That's a bridge that not many have crossed in the healthcare world,” he says. “Moving PHI to a platform that is ubiquitous to many industries or individuals raises the level of concern.” That doesn't necessarily mean that it is off limits, but it does mean that more precautions have to be in place to protect privacy, he adds.

Orlando Health is currently in the process of evaluating whether or not to take that step, he says. Among the issues it is looking at is whether the cloud vendor stores data, what is the data environment, how data is backed up, how backup data will be made available should the primary system fail, and whether there is a bridge in place to retrieve data. “A robust assessment needs to be done before putting your neck on the line. The performance has got to be there. You need assurances that you are not going to lose data, and if they do, how will you get it back.” With PHI, it is essential that the cloud provider is experienced working with healthcare data and can demonstrate that it is capable of protecting it.

David Muntz, who views PHI as sacrosanct, says that Baylor does not store PHI on the cloud. “The data that is collected by the physician is really under that sacred trust. If I am responsible for storing that data, I want to make sure that I am protecting that sacred trust,” he says. In his view, that means storing the data on Baylor's own servers.

That is not to say that Baylor does not use the cloud at all. “We are users of outsourcing services, and we do use SaaS [software as a service],” he says. He personally would prefer another metaphor that better characterizes its real benefit: to buy storage, infrastructure, or services as needed. In his view, the concept of the cloud, a term he finds too nebulous, is not so different from the concept of an application service provider, and he requires the same kinds of assurances from both.

Infrastructure

Security in the Cloud

PHI: A SPECIAL CASE?

More like this

Most Popular

GUEST BLOG: Can Entrepreneurs “Cure” Healthcare With Technology?

Behind the Curtain

Leveraging Big Data to Improve the Standard of Care

Congratulations on your EMR-Now take this clipboard full of forms and go fill them out

Webinars & Whitepapers

Do's and Don'ts of Successful Data Management for Population Health Management

Creating Connections with Population Health Management: Bringing Together People, Places and Information

mHealth Technology: Four Key Steps

Healthcare's Future Depends on Data-Driven look at Individual Behavior

How to Put Data and Analytics to Work in the Era of Healthcare Reform

Current Issue

September 2013

Poll