by Yvonne Li, Co-founder of SurMD
When I speak with healthcare IT leaders about cloud-based data storage, retrieval, and transfer, the responses are often mixed. Some are steadfast believers in the power, scalability and cost-savings afforded by the cloud, having experienced these benefits first-hand with implementations at their own hospital or health system. Others raise questions ranging from security and data ownership to patient protection and affordability.
Although I’m a big proponent of cloud solutions, I understand the trepidation from the latter camp. After all, the stakes are high when dealing with sensitive patient information. Healthcare security breaches bring severe consequences, not the least of which includes the costs associated with violating the Health Insurance Portability and Accountability Act (HIPAA). Unfortunately, healthcare security breaches are more numerous than you might think.
According to the Health Information Trust Alliance, there were 500 breaches at U.S. healthcare organizations between 2009 and 2012 – resulting in 21,000,000 personal records being exposed with an estimated cost of $4,000,000 in damages. Healthcare institutions that suffer a breach incur expenses that include legal fees, regulatory fines, IT forensic charges, customer notification and monitoring costs. They also put brand reputation at risk, since it can take years to gain a patient’s trust but only seconds to lose it.
When considering cloud-based solutions in any industry, it’s important to separate fact from fiction. Here are five myths that continue to misdirect and misguide the cloud discussion in healthcare.
Myth 1 – Healthcare data stored on-site is more secure than the cloud
Although keeping data on-site makes some business and IT leaders feel more secure, keeping data close to home doesn’t equate to higher security levels. In fact, physical theft of on-site devices (and their data) continues to dominate as the most likely cause of healthcare breaches. More than 83% of patient records breached in 2013 resulted from theft, typically from criminals stealing unencrypted laptops from health providers and their business associates.
In addition to theft, hackers breaking into servers can present a problem for healthcare providers. Across industries, however, enterprise data centers are four times more likely to suffer a malware/bot attack than a cloud-hosting provider.
In August, for example, hackers in China were able to steal Social Security numbers and personal data of 4.5 million patients from Community Health Systems – representing the largest healthcare breach, to date. The hack was blamed on sophisticated malware and technology targeting Community Health’s own network, bypassing the company’s security measures and making off with a treasure trove of patient information.
The fact is cloud-based solutions can have tangible security advantages not offered by on-site storage – especially those from HIPAA-certified vendors. Many cloud service providers are willing to offer health providers a Business Associate Agreement (BAA), which will relieve some of the practice’s liability, as well as share the security layers and encryption methods they use to ensure the protection of patient data.
Myth 2 – Health providers lose ownership of patient data when using the cloud
Similar to misconceptions about cloud security, some health providers worry about data ownership when using a third-party storage provider. In truth, all data belongs to the provider regardless of where it is stored. This is part of the standard agreement between healthcare providers and cloud storage vendors, with the vendor contractually obligated to return all data whenever the provider wishes (e.g., if the healthcare provider decides to end the agreement). Additionally, best-in-class cloud solutions are vendor-neutral, meaning encrypted data is stored in its native format so it can be downloaded in its original form for use at any time.
Myth 3 – All cloud storage providers are created equal
Although this is intuitive, it bears repeating for one main reason: just because a vendor claims broad capability across industries, it does not mean they understand the regulatory requirements of the healthcare landscape. Any vendor can claim their solution is HIPAA-compliant, but very few cloud-based storage and retrieval companies are certified by a qualified agency who follows the rigorous process required to gain certification.
In addition to HIPPA certification, some cloud storage vendors offer more capabilities than others. For instance, there are cloud vendors that offer file exchange services for test results from patient-to-provider or between imaging centers and referring physicians. At the very least, file exchange processes should be HIPAA-compliant, if not HIPAA-certified by a third-party process, and sending and receiving of files should be traceable.
Myth 4 – The cloud should only be used as a disaster recovery solution for healthcare data
Using off-site cloud storage to ensure business continuity when there is a disaster seems like a no-brainer for many, but its benefits don’t stop there. This is especially true in healthcare, where information sharing and collaboration between providers and with patients is key to timely diagnosis and quality of care.
As mentioned, some cloud storage vendors offer secure, easy-to-use file transfer for sharing medical reports, images, and patient history. This eliminates the all-too-common practice of burning CDs with medical data, or e-mailing/faxing files to patients or other health providers, which puts data at significant risk.
Using a secure cloud-based file-sharing service, doctors can share files remotely and in real-time to consult with their colleagues or specialists – without compromising patient privacy. This enables healthcare providers to improve their response times through effective and secure collaboration.
Myth 5 – Cloud storage and file transfer is more expensive than on-premise
Leveraging a cloud model to enable secure storage and retrieval of health data need not be exorbitant in cost. In fact, primary benefits over on-premise solutions include both cost savings and scalability. Cloud-based repositories are scalable as you grow; often with pay-as-you-use pricing plans that offer flexibility and eliminate upfront fees and capital equipment expenses.
When examining total cost of ownership and comparing with on-premise solutions, health providers need to account for all costs associated with the on-premise model including data retention, support staff, security equipment, warrantees, hardware refreshes and consulting. These items typically result in far greater costs than most cloud models.
Although misconceptions like these continue to hinder cloud storage implementations among some providers, success stories at healthcare practices, hospitals and systems nationwide are numerous. A June 2014 HIMSS Analytics survey found that 83 percent of surveyed medical practices, hospitals and health care systems are using cloud services, citing lower maintenance costs, speed of deployment and a lack of internal staffing resources.
Overall, technological advances in healthcare, including storing and transferring electronic health records, and cloud storage and electronic access to records, are leading to better care coordination and a more efficient healthcare system. The ultimate goal is to provide the best treatment to the patient, in a timely manner, while keeping their personal health information safe. As long as healthcare providers remember that the decision as to how, when, and why to utilize the cloud should factor into their overall long-term business objectives and unique needs, the upward trend of moving to the cloud will continue.
Yvonne Li is a technologist and business development executive. She is an expert in cloud storage, healthcare data exchange, Internet business models, SaaS and content engagement platform design. She is the co-founder of SurMD, a cloud storage technology company and has launched a line of HIPAA- compliant cloud services. Li currently serves as VP of Business Development at SurMD, and can be followed on Twitter at @mySurMD.
Photo courtesy of Shutterstock.