Are your healthcare data safe in the cloud?
Dr. Levine is Clinical Fellow, Reproductive Endocrinology & Infertility, Ronald O. Perelman and Claudia Cohen Center for Reproductive Medicine, Weill Cornell Medical College, New York.
Dr. Goldschlag is Assistant Professor of Clinical Obstetrics and Gynecology and Assistant Professor of Clinical Reproductive Medicine, Ronald O. Perelman and Claudia Cohen Center for Reproductive Medicine, Weill Cornell Medical College, New York.
In June, the Wall Street Journal reported that the Obama administration had hired Amazon.com to host certain HealthCare.gov components.1 That may seem to be a curious partnership, but remember that the world’s largest online retailer never closes.2 Amazon.com is always just a click away and sells not only books and other tangible products, but also streaming media such as TV shows, movies, and music.3
“The move [to Amazon] will give the government more flexibility in the amount of computing power it uses to run its health exchange, experts say, allowing it lower costs outside of peak usage periods,” says the WSJ.1 “By 2015, [HealthCare.gov] … will be optimized for mobile devices and run on Amazon.com’s cloud computing service.”1
So what’s the big deal? Well, many people-including these authors-are skeptical about putting healthcare into the cloud.
Cloud-based computing is neither technologically complex nor new. It simply refers to “saving data to an off-site storage system maintained by a third party,” according to HowStuffWorks. “Instead of storing information on your computer’s hard drive or other local storage device, you save it to a remote database.”4
In fact, many of us have been using cloud-based storage for years. Gmail and Yahoo! are 2 examples of web-based email systems in which data “live” on a server and can be accessed remotely. Other cloud-powered services you may be using include Box.net, Dropbox, GoogleDocs, GoogleDrive, and iCloud. Each has different applications and modes of interaction, but the principle is the same-data are stored remotely and can be accessed wherever and whenever you choose.
It’s probably OK to store baby photos, book reports, and science projects on a publicly accessed server. But is it OK to store health information on one?
In theory, the behemoths of the Internet should maintain the security and fidelity of their servers, but we don’t know if they do so in a HIPAA-compliant manner. We are skeptical because the owners of these data never really know who or what is accessing them. For example, you never know for sure that someone is not looking at your baby photos stored on your mobile device (it probably doesn’t matter, because you were adorable). But there are few if any structured ways to monitor who is accessing this information, and it may be only after the damage is done that a security breach is recognized.
Furthermore, it is nearly impossible to guarantee that what users expect to happen really happens. For example, if you want to purge a record from a cloud-based database, how do you know it was really deleted? What if the service provider backed up the information on 3 different servers to ensure that there would be no service interruptions?
What seems to be a secure back-up feature may in fact be a dangerous form of data duplication.
Things get murky when it comes to legality and liability. According to the Department of Health and Human Services (HHS), “Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions-not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.”5
In plain English, this means that it’s OK to store your protected health information on a third-party cloud-based solution as long as the company has signed a business associates agreement (BAA) with HHS, accepting responsibility for its protection and maintenance. The free web-based cloud services that we all use and love have not signed BAAs. They are not responsible for maintaining data and are not liable in the event of a breach.
Adding to the complexity, despite having no recourse with the cloud-based providers, “[the user] must ensure that the data never leaves US soil,” according to an article on Enterprise Features. “If the data is physically moved to another country, it will be out of US jurisdiction. When this data is stored abroad, it may be subject to international laws which would force your cloud provider to take actions that would put you out of compliance.”6
Free data sites are able to provide robust services in part by storing data abroad, where electricity, real estate, and labor are considerably cheaper.
Cloud-based storage not only makes sense, it is requisite as we all transition to digital electronic health records (EHRs).
First and foremost, make sure that you are using only HIPAA-compliant software/servers for protected health information.
As the American Health Information Management Association points out, “[text] messages may reside on a mobile device indefinitely ... messages often can be accessed without any level of authentication, meaning that anyone who has access to the mobile phone may have access to all text messages on the device without the need to enter a password.”7
While many of us are careful to keep our devices password-protected and to delete patient-specific messages after reading them, many clinicians are shocked and appalled to learn that texting patient information can also be viewed as storing data on a nonsecure cloud. Most mobile phones automatically back up to the cloud in case of theft or damage. If you are going to use your phone to text information, make sure that it is not going through a cloud-based server (for example, on an iPhone, the iChat feature), and turn off the back-up feature.
When moving your practice’s data to the cloud, ask your referring hospital’s chief information officer for advice. Find out which clouds are vetted, approved, and secure. Some EHR companies, such as McKesson, have partnered with companies such as Iron Mountain to offer cloud storage for large parcels of data, such as radiology images.8
Some healthcare systems, such as Beth Israel Deaconess Medical Center, have created their own cloud solutions.9 And some companies are rolling out practice-level HIPAA-compliant mobile solutions.10
Cloud-based storage is a friend, not a foe. Many physicians in New York City who thought that they would lose all their patient records during Superstorm Sandy were pleased to know that their patients’ records were in fact safe and secure. Even so, according to an article on EHRIntelligence.com, “if your solution … is hosted in the cloud, your system remains at risk if your facility loses power and internet connectivity. ... [E]ven though some facilities had a backup plan that preserved their power and their connection to the internet, the EHR provider they used had lost power to their data center which in turn took down the site’s EHR.”11 So pick your provider carefully.
It’s going to get a lot cloudier, but this is a good thing. You will soon be able to access your patients’ records from the comfort of your couch, back yard, or inner tube.
1. Boulton C. HealthCare.gov floats to Amazon’s cloud in revamp. http://blogs.wsj.com/cio/2014/06/06/healthcare-gov-floats-to-amazons-cloud-in-revamp/.Accessed June 7, 2014.
2. Rai S. Online retailers hustle to build an alibaba in India, take on Amazon. www.forbes.com/sites/saritharai/2014/05/22/local-online-retailers-hustle-to-build-an-alibaba-in-india/ Accessed May 22, 2014.
3. Gayles C. Amazon launches Prime streaming music service. http://money.cnn.com/2014/06/12/technology/enterprise/amazon-prime-music/ Accessed June 12, 2014.
4. Strickland J. How cloud storage works. http://www.howstuffworks.com/cloud-computing/cloud-storage.htm. Accessed June 10, 2014.
5. Health information privacy: business associates. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html. Accessed June 10, 2014.
6. Rudo P. How cloud computing affects HIPAA compliance. http://enterprisefeatures.com/2011/08/how-cloud-computing-affects-hipaa-compliance/. Accessed June 10, 2014.
7. Greene AH. HIPAA compliance for clinician texting. http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_049460.hcsp?dDocName=bok1_049460. Accessed June 10, 2014.
8. Iron Mountain. Manage medical image archives. http://www.ironmountain.com/Services/Health-Information-Management/Medical-Image-Archiving.aspx. Accessed June 10, 2014.
9 Gold A. 4 tips for hospitals moving to cloud-based storage. http://www.fiercehealthit.com/story/4-tips-hospitals-moving-cloud-based-storage/2013-07-31. Accessed June 10, 2014.
10. Cloud medical imaging. http://www.corp.att.com/healthcare/miim/. Accessed June 10, 2014.
11. van Terheyden N. EHR, healthcare takeaways from Hurricane Sandy. http://ehrintelligence.com/2012/11/13/ehr-healthcare-takeaways-from-hurricane-sandy/. Accessed June 10, 2014.