Skip to content Skip to navigation

'Cloudy' Forecast for PHI

June 30, 2011
| Reprints

How secure is cloud computing as far as protecting patient data? At a time when many health providers are considering the use of the cloud, it’s a question worth considering.

Taking advantage of the cloud means trusting a third-party cloud vendor with your organization’s data. That means thoroughly evaluating a cloud operator, and getting a detailed picture of how your organization’s data will be stored on its servers, what sorts of protections it offers against unauthorized access to the data, and what sort of track record the cloud vendor has in healthcare.

The other side of the picture is what applications are appropriate to the cloud. I recently had an opportunity to speak with Rick Schooler, senior vice president and CIO of Orlando Health, a six-hospital system in central Florida. He says the cloud may be an acceptable risk for certain types of applications, such as software as a service, or using it to store revenue cycle data that can be used for business intelligence purposes. In those applications, security is a concern, but may well be an acceptable risk.

But what about the cloud and protected health information? “That’s a bridge that not many people have crossed in the healthcare world, putting PHI in the cloud,” Schooler says.

An editorial in the June 29 New York Times addresses the use of the cloud by corporations, citing breaches by hackers who stole names, email addresses and passwords of millions of users in recent weeks. It cites a survey by the Ponemon Institute that found that nine out of 10 companies surveyed suffered an online attack in recent months. It also noted that Dropbox, a popular storing documents and other files on its cloud, allowed anyone to log into its 25 million user accounts using any password for a period of several hours recently.

While the editorial does not single out the healthcare industry, providers are not exempt to any of these potential attacks. In May, according to the Times, the Obama administration proposed legislation to ensure that companies running critical infrastructure have adequate to reduce the risk of an online attack. The attention on cloud security is worth noting, and it should give extra pause for organizations with regard to PHI.




The key point with this article is to do your homework when it comes to security in the cloud. However, this does not mean the cloud is inherently weak, when it comes to security and arguably there is a good case to be made that in many cases security is tighter than data-centers run privately.

In the same way that many people manage security through tight governance and policy for their own IT services does not mean that the same should not apply to cloud providers. It is important that consumers of cloud services look to their policies and ensure these are extended to cloud service providers, especially where PHI is involved.

Many industries have already made this happen, whether this is in the financial services or manufacturing, and there needs around privacy and security are no less stringent than the needs within Healthcare. Already cloud service providers are responding to the need within healthcare - companies like IBM are developing data-centers that are HIPAA compliant to meet the PHI needs. I only see this trend increasing as more customers demand this capability from cloud service providers and it will happen faster this way than waiting for regulators to catch up with the trend.

The other reason why I see the trend being more positive for cloud services and SaaS companies is the fact they are uniquely positioned to combat security threats in an environment, where security specialists are harder to find. These companies will in the long term attract these skills because of the opportunities and challenges they respresent to the security specialists. It is going to be a fight over a tight resource market and I bet scale will win out in the end.

I do agree the security breaches are have not reflected well on cloud providers recently, but this is just one perspective. There have been many other breaches on individual companies that do not see the light of day and I am sure these are far more frequent then is reflected in the public records. The good and bad news is the fact that cloud providers are disclosing the increasing threat and they are responding to it quickly - how many individual IT departments can say the same thing?

In summary, I think the post does a good job of highlighting the fact that customers who are contemplating the move to the cloud need to make sure they understand what they are getting for their money. Moving to the cloud has many opportunities that allow IT departments to focus on adding tremendous value in other core areas of their activities, but it does not mean you can abdicate responsibility for ensuring the cloud service providers support your PHI needs.