By Daniel Casciato
If your medical practice is considering moving your confidential patient data to a cloud-based service, you’re not alone. Many practices are realizing the benefits of hosting and accessing clinical data in the cloud. It can save your practice thousands of dollars annually by increasing productivity with fewer office personnel while reducing spending on data storage infrastructure. You can also access patient data from anywhere—in the office, on the road, and even from home. However, there are privacy and security risks associated with using cloud-based services that your practice should be aware of before you make this transition.
There’s no denying that there is a security risk when adopting cloud technology, according to Justin Hadler, director of engineering at Hardware.com in Minneapolis, Minn. which provides networking hardware, architectures, procurement, and support.
“You are extending the domain of physical and logical control of your data to another entity and essentially putting all of your eggs in one large basket,” he says.
Since medical information needs to be kept private, practices must ensure their cloud provider has the expertise and proper safeguards in place to keep this information out of the hands of others. Most cloud providers do complete lengthy and costly audits every few months to certify these environments for their clients, assures Hadler.
In addition to outside hackers, the potential for internal security breaches are more common. These can arise when internal IT staff or employees of a cloud provider abuse the trust of the organization and misuse information stored in the cloud.
“Organizations need to set up ways to prevent abuse—such as setting up firewalls and antivirus technologies—but also ways to detect it, like monitoring, should these prevention methods fail,” Hadler says.
If a larger cloud provider can offset some of the very costly and time-consuming security practices, along with security audits, Hadler says that moving to a cloud infrastructure could offer large cost savings depending on the size of your practice.
“Organizations can also benefit by selecting a cloud provider that has already built an infrastructure with healthcare specific regulations in mind,” he adds. “This can save mid-size to smaller practices a great deal of time and money.”
Even if you are working with a reputable vendor, Richard Stokes, healthcare IT consultant with Atlanta-based Network 1 Consulting, recommends to keep some expertise in-house or close at hand like a local outsourced IT partner.
“The cloud notion is notorious for making businesses think they no longer need internal knowledge of technologies as that is all handled by the cloud provider,” he says. “When cloud has issues it is important to have a resource that can help navigate contingency plans or data recovery options.”
Also, it is absolutely critical to review contracts with potential cloud vendors, says Stokes.
“Sign a Business Associate Agreement with the cloud provider, and review your contract very closely to determine what recourse you have if you experience a service outage or a data breach,” he says. “Before you enter a contract, know what your business rights, limitations, and legal consequences are and weigh those risks.”
Challenges with accessing clinical data in the cloud
Stokes says that medical office practitioners should also be aware of some of the challenges with using cloud-based services. One of those challenges is the use of bandwidth.
“You will likely need to significantly increase the size and speed of the Internet connection at the office,” he says.
Hadler agrees. Medical practices must have high-availability architectures that provide a 24/7 path to the cloud. This ensures they will always have access to information, like patient history, that is placed in the cloud.
“Because 24/7 access is crucial, it becomes detrimental when network access fails or a large-scale disaster strikes and inhibits immediate access to information stored in the cloud,” he says. “If network access becomes unavailable during a disaster, such as a hurricane, patients’ lives can be put at risk if records are not readily accessible.”
Organizations should create disaster recovery plans and discuss these with their cloud provider. A backup option can mitigate risk should connection to the cloud be severed.
“Medical practices should consider exploring a secondary site at your office or another provider for data recovery purposes,” says Stokes. “Even cloud has hiccups so you might want something that can act as a failover in the event that the cloud provider has extended issues or worse yet gets shutdown.”
Increasing your bandwidth size and creating a backup option will add monthly costs and administrative management, but if the hosting provider is down or having problems then so will your practice.
“If you decide to switch to a cloud-based service, getting all of your data back from the cloud provider could be a very expensive and labor intensive proposition, depending on what it is and how much data they are hosting for you,” says Stokes.
Stokes adds to review with your cloud provider how they handle exit plans and what the costs are. “Find out how hard or easy it is to get your data back and also make sure they can prove that they have removed all of your data off of their systems.”
Even the cloud providers face substantial challenges in protect the privacy of your healthcare data. When a cloud provider wishes to accommodate a client’s requirement, the cloud provider will need to review its agreements with its service providers—its data center providers, internet service providers and cloud service providers.
“Normally, a cloud provider relies on many other cloud providers to provider data storage, internet access, software and other requirements,” says Michael Bennett, a partner in the Chicago office of Edwards Wildman Palmer. “The policies and practices of all those providers must be reviewed before it can be determined whether or not a specific client’s requirements can be accommodated.”
Legal risks of hosting data on the cloud
The main legal risk in a cloud arrangement is that a practice is relying on a cloud provider to fulfill some of its legal obligations, such as confidentiality, security, notice, accessibility and accuracy.
“Those obligations can be imposed by federal law, such as HITECH, HIPAA, state law, or by contract with patients, and other healthcare providers,” says Bennett. “But since cloud services are relatively inexpensive, cloud providers may be unwilling to bear the healthcare provider’s full liability associated with a failure to meet those obligations.”
While cloud services are easy to obtain, easy to pay for, and easy to scale, that ease of deployment can lead parties to enter agreements without performing proper diligence, warns Bennett. Cloud contracts are lengthy and have robust disclaimers and protections for providers. And normally, cloud agreements are non-negotiable.
“Healthcare providers should consider whether or not the offered service, including its contractual disclaimers and limitations is a good fit,” he says.
Bennett notes that cloud data is typically stored in data centers in remote jurisdictions, other states, or even other countries. Cloud and healthcare providers should consider whether or not their cloud agreement addresses the legal requirements of all interested jurisdictions, including those of the patient, those where the data is collected and those where the data is stored.
“And the parties should consider all the jurisdictions where data can be stored, including primary and secondary data centers and back-up sites,” he says.
Bennett recommends due diligence on the vendor, and researching whether they are new to the cloud environment and new to healthcare. Ideally, you would want to work with an experienced cloud provider and one that has experience working with healthcare-based clients. Talk to their customers to see what they have to say. Conduct a search on the company through social media as well to see what the online chatter is.
“Also, investigate whether or not insurance is available and carefully review the offering to ensure it covers the anticipated risk,” says Bennett. “And be sure to update and review business associate agreements.”