In one of my recent conversations with Dr. Andy Litt, Chief Medical Officer at Dell, he made a really interesting but possibly counter intuitive observation. While maybe not a direct quote from him, I took away this observation from Dr. Litt:
Security and privacy drives people to the cloud.
Talk about an ironic statement. I imagine if I were to talk to a dozen CIOs, they would be more concerned about the security and privacy implications of the cloud. I don’t imagine most would look at the cloud as the solution to some of their security and privacy problems.
However, Dr. Litt is right. Many times a cloud based EHR or other software is much more secure than a server hosted in a doctors office. The reality is that many healthcare organizations large or small just can’t invest the same money in securing their data as compared with a cloud provider.
It’s not for lack of desire to make sure the data is secure and private. However, if you’re a small doctor’s office, you can only apply so many resources to the problem. Even a small EHR vendor with a few hundred doctors can invest more money in the security and privacy of their data than a solo practice. Although, this is true for even very large practices and even many hospitals.
One reason why I think many will disagree with this notion is because there’s a difference between a cloud provider who can be more secure and private and one who actually executes on that possibility. It’s a fair question that everyone should ask. Although, this can be verified. You can audit your cloud provider and see that they’re indeed putting in security and privacy capabilities that are beyond what you’d be able to do on your own.
What do you think? Is hosting in the cloud a way to address security and privacy concerns?
As a “cloud” provider that uses high level security and redundancy, I tend to agree with the assertion that “cloud” can be safer. I formerly worked for a client-server company and we routinely had a customer or two every week that lost data because they did not follow back-up procedures. Even when we instituted a process to back-up their servers for them to our data center we still had problems because customers would put in unrecommended firewalls or reconfigure their servers so they would not back-up properly.
That said, “cloud” is a nebulous term, pardon the pun. Is the vendor using their own servers in a top tier data center or leasing/using space in the cloud? Or is the “cloud” really a client-server configuration hosted by the vendor simply accessed via VPN? – in which case it may not be any safer or any better backed-up than a server sitting in the customer’s office.
When the vendor is hosting the customer’s data on vendor owned servers in a top tier data center and employing high level security protocols and redundancy you have a very secure system – and one most physician offices could not replicate. Vendors with this configuration stake their entire company on the security and reliability of their system – an issue for one customer is likely an issue for every customer. As such, they also have a huge incentive to keep their systems secure and available.
John,
Thanks for covering this important topic, as cloud solutions are an important tool that hospitals can use to solve pressing problems — when done well.
Working with cloud providers that specialize in healthcare data which also have hospital experience, is one way to help overcome adoption problems. There is just more trust when the hospital knows that their provider understands the sensitivity of the data from having lived in their shoes.
Cloud providers like INHS come to mind, for example. Your readers can find more information on INHS as well as the use-cases which hospitals can consider for cloud, at:
http://www.bridgeheadsoftware.com/campaigns/bridging_the_gap_from_hospital_to_cloud/
Thanks and keep up the good work!
Kelly
C Huddle,
Thanks for articulating the idea I was trying to convey even better than I did.
[…] 6 HIPAA Compliance Reality Checks whitepaper and then carried over with my piece looking at whether cloud adoption addresses security and privacy concerns. In the later post, there’s been a really rich discussion around the ability of an enterprise […]
I agree that security and privacy drive people to the cloud…but this is because they are being sold on this point.
During a risk assessment, probably about 10% to 20% of the items addressed can be alleviated by being on the cloud.
Does the cloud make backup easier? Of course, but if an office actually tries, they can have solid backup with little effort.
I’m not at all against “the cloud”, what I’m against is the false selling point that the cloud “solves all your problems”…and believe me, this is a key point salespeople make, I see it every week.