By Nicole Lewis, iHealthBeat
Like many hospital CIOs, John Halamka is obsessed with patient data security. For the last seven years, Halamka, who is CIO at Beth Israel Deaconess Medical Center, has shied away from embracing cloud service providers offering to host the hospital’s mission-critical applications on their cloud computing platforms. To ensure security, Halamka built a private cloud that stores and distributes critical information across multiple data centers — but that model is about to change.
This year Beth Israel is getting ready to transfer critical data, including the hospital’s electronic health records, to the cloud computing platforms of Amazon Web Services.
“This year is a tipping point. We are in a proof of concept to move our EHR test-and-development environment to AWS, and if that works, we’ll move the production environment to AWS,” Halamka said.
Driving Beth Israel’s decision to put mission-critical information in the cloud is that it’s cheaper to use AWS’s hardware, software and IT expertise. Further, the volume of data at Beth Israel has grown on average by 25% annually over the past five years and now stands at 4 petabytes, which has added pressure on the hospital’s ability to manage its data efficiently.
Beth Israel already uses cloud hosting platforms from Cornerstone OnDemand to advance its employee learning and training programs, but it intends to expand the outsourcing and management of critical clinical applications in the cloud because, Halamka said, “the cloud is a much more secure environment for EHRs in 2015 than locally hosted on-premises servers.”
Health Care Embraces the Cloud
Moving more health care information onto cloud computing platforms is a growing trend.
A study from Dell, in collaboration with research firm TNS, found that 96% of mid-size health care organizations surveyed are using or are considering using cloud computing.
These findings mirror a study from the Healthcare Information and Management Systems Society that found 83% of the 150 respondents in the survey use cloud services, and another 9% plan to use the cloud in the future. Interestingly, 61% said security is still a top concern, and 6% said they don’t plan to try cloud services.
To help cloud service providers meet HIPAA requirements, Jim Reavis, CEO of the Cloud Security Alliance, said his organization has mapped HIPAA security requirements to its CSA STAR Certification, which is a third-party independent assessment of the security of a cloud service provider.
“The adoption of cloud services by health care organizations seems to be aggressive,” Reavis said. “Many cloud providers who are members of CSA say health care is either the No. 1 or No. 2 vertical industry adopting cloud services.”
Josh Siegel — CTO at CareCloud Corporation, a Miami, Fla.-based cloud service provider — said that managing health care data forces his company to meet a higher standard not only because of HIPAA regulations, but also because securing data in transmission is a very common occurrence in health care.
“Right now health care is using a lot of data interchange to make the patient data available in different systems, and that requires a higher level of diligence,” Siegel said.
Critics of Cloud Focus on Risks
One skeptic of cloud computing’s ability to secure patient data is Sriram Bharadwaj, director of information services at the University of California-Irvine Medical Center. Bharadwaj said his hospital currently has no plans to use cloud computing for clinical, business or any other datasets that are critical to the hospital’s operations. Currently, UC-Irvine Health, which operates the medical center, uses the cloud for non-mission critical tasks, like help desk support.
Bharadwaj, who is chair of the HIMSS Privacy and Security Committee, questions whether cloud providers can meet the specific needs of health care clients that have to comply with HIPAA’s patient data security requirements.
He noted there are many questions to ask, including:
- What is the notification that health care customers get when personnel is changed in the data center?;
- When the data are transferred from the health care location to the cloud provider, is the transfer secure?;
- Are cloud providers storing data on storage area networks with encrypted disks and hard drives?; and
- Do cloud providers have a HIPAA expert or a compliance officer who understands HIPAA?
“I’m not a big cloud proponent because it is not entirely clear that the policies and procedures that health care entities demand can be met by cloud service providers,” Bharadwaj said.
Cloud Vendors Boost Security Protections
But cloud providers say they are addressing patient data security issues with fervor.
On the CareCloud platform, all data — in transit and at rest — are encrypted, Siegel said. The company partners with the best real-time security monitoring systems to analyze its network traffic continuously. Siegel added that the CareCloud platform itself enforces best practices on their clients, requiring them to assign roles and rights to individuals within their organization to be able to access specific data within CareCloud.
Looking ahead, CareCloud will provide biometric two-factor user recognition, a technology that Siegel said will be more practical for many health care clients.
“Picture a front office staff member stepping away from their computer momentarily and then entering their password when they return. The system matches their password with facial recognition before granting access as an extra security measure,” Siegel said.
Carolinas IT, a Raleigh, N.C.-based cloud service provider, has seen a 50% increase in interest from potential health care clients during the past three years. Mark Cavaliero, the company’s CEO, said the firm handles patient data in a multi-layered security architecture. Among the techniques and technologies used to secure personal health information and personally identifiable information, Cavaliero listed perimeter security, rule-based protection, port-based security, encryption, advanced authentication methods and physical security, as well as logical and physical segmentation, threat signatures, behavior analysis and deep-packet inspection.
“We monitor traffic in and out of our cloud and use advanced name resolution control for outbound requests,” Cavaliero said. “We also monitor for traffic and utilization anomalies and proactively patch at all levels, including bios, hypervisor, OS and at the application level. We take a strong, proactive security stance, combined with effective end-user and administrative policies, to protect all data with sensitive information.”
Over at Dell, Carrick Carpenter leads the health care cloud computing business. She said all health care customer environments must be kept separate, data should be encrypted and health care customers can manage access to their information that is protected by intrusion prevention systems, and intrusion detection systems software from Dell’s SecureWorks division.
In his assessment, Halamka is confident that cloud security has matured during the past seven years, particularly in three critical areas:
- Cloud providers increasingly offer business associate agreements that include indemnification if a security breach occurs.
- Increasingly, cloud providers perform independent third-party audits that verify a provider’s security resilience.
- Cloud providers have instituted policies that are extremely restrictive regarding who uses the system, how the technology is used and how the entry points to the cloud are managed.
As cloud vendors continue to improve their security posture for health care customers, many stress that health care clients have a responsibility to implement policies and procedures that strengthen physical and logical security in their data environment.
In fact, many data breaches at health care organizations are caused by employee negligence. Halamka recalls one intrusion event that occurred when a nurse at Beth Israel used an android device to download an online game from an infected website and then used the same device to access one of the hospital’s cloud-hosted computing systems.
According to Carpenter, there will always be risks. However the hacking of information seems targeted, for now, to on-premise implementations, and there’s a reason why.
“Cloud vendors are spending more on security than individual, on-premise customers could. Further, given health care IT is the core competency of cloud vendors, like Dell Cloud, these companies cannot afford to be breached,” Carpenter said. “To this end, the challenges in securing a cloud are the same as an on-premise solution. The difference is that cloud vendors invest in client separation, security tools, force encryption, test security frequently, hire third-party audits and generally don’t take data assets for granted — ever.”