There are many changes occurring in the healthcare environment. One of the most significant changes is hospitals transitioning from a paper based medical record to an electronic medical record (“EMR”). However, due to outdated infrastructure in the hospitals, there may be considerable investment required to support this kind of transition in terms of:

• Computing power;
• Data storage and
• Security.

A possible solution is a transition to a cloud computing based hosting provider, along with an EMR provider such as Vitro that can take advantage of this technology. This is a cost effective alternative to a large investment in internal systems.

The Risks

Moving to a cloud based EMR system for a healthcare organisation holds a certain element of perceived risk. Some of the risks surround the potential loss of control by moving the data out of internal servers, compliance with data protection legislation, the security of patient data and putting it into the hands of a cloud provider.

Over the last number of years, fear about these types of risk has been mitigated due to the flexibility of the cloud, a pay per use model from the cloud provider and some EMR vendors, scalability and the availability of control over data storage locations. As these services have begun to mature, they have resulted in improved data protection and data compliance.

There are many other benefits for a move towards cloud architecture, such as the reduced cost of hardware ownership, maintenance, computing power, data warehousing and analytics to name but a few.

The Barriers

There are two sides to the data security issue. On one side, it is viewed as a barrier to adoption for some healthcare organisations and on the other; the cloud is seen as providing more security than current onsite technology. Security is of course an issue, but that does not take away from the concerns of patient data sitting in an organisations datacenter or in a datacenter of a cloud provider offsite. One of the misconceptions is that when data is moved to a cloud provider, they are then responsible for the data. It is important to note that data security is still the responsibility of the IT department in the hospital whether in the cloud or on premises. Certain aspects of security are the responsibility of the cloud provider who is providing a service by agreement; hospitals have to be aware that cloud providers do not have knowledge of the data saved on their systems.

Security and Compliance

In the past, it was acceptable to have sealed off environments to safeguard information from the outside world, but in the current changing environment, there is an increasing need for fluid and portable data availability between different healthcare centers and providers. Patients want access to their health records along with clinicians. Architectures and technology need the flexibility to move with the ever changing world rather than providers having to invest heavily following imposed changes as needed. These types of change and access to data can be difficult to achieve in a shielded environment and this is where the benefits of the cloud become most apparent.

The cloud providers have economies of scale which enables them to have certain security measures in place such as;

• Secure locations;
• Intrusion detection technologies;
• Backup power;
• Industry standard transport protocols between user devices;
• Data encryption for data at rest and calls between servers;
• Filter Denial of Service (“DDoS”) attacks;
• Virtual Private Networks (“VPN”) so a healthcare organisation can extend their own premises network to the cloud;
• The ability to have a private connection to the datacenter which does not go over public internet.

Cloud providers can comply with certain standards such as HIPAA, ISO27001, ISO27018, Australian IRAP, CJIS (“Criminal Justice Information Systems”) and many more, all of which are listed on their websites. Cloud providers are also often aligned with large security firms and so can provide the best level of security.

With the push to a cloud environment in order to provide better security, there is a need to increase security on the data itself that resides in the cloud, and also to the client devices accessing this information. The hospital should be aware of the location the data is stored in the cloud and of data encryption at rest. The geographical location is important for compliance with data protection legislation, especially if data is geo-replicated. Since there is increased use of mobile devices in hospitals, these devices can be better secured using technologies such as virtualised desktop infrastructure. This will effectively make a device just a pane of glass into a hosted virtual desktop and is protected by policy based encryption. Security is provided in that if the device is lost or there is an unauthorised accessed attempt, it can be disconnected from the network and the account using that device can be updated with a new password.

Conclusion

If moving to the cloud, there are different types of security concerns that are currently experienced by hospitals as this data could be accessed externally. Data maps to show the flow path of data and how this can be secured are essential. As discussed above, one of the main areas of concern is around the end point users and where data is displayed or received by devices from the cloud. Some protections that can be added when accessing the cloud are two factor authentications and complex passwords. IT departments should also look at usage controls to see the ways in which the flow of information runs on a normal day. If there is some abnormality or unusual use detected, it can be quickly investigated before there is any breach to data security. It is important that hospitals undertake due diligence in relation to service level agreements and contracts, critically along the lines of uptime, connectivity, performance and response time for issues with the cloud provider they are planning on adopting. This agreement between hospital and cloud provider is usually for a term of 5 to 10 years. Healthcare organisations should be aware that once they have entered into an outsourced cloud structure, increases in data storage can affect their costs. This is more-so relevant as new system vendors are added to the cloud causing rapid data growth which may not have been expected.

Read the case study on how Bendigo Healthcare are implementing Vitro as their digital Medical Record and using Microsoft Azure as their cloud hosting service. 

READ CASE STUDY

James Heslin – Technical Solutions and Services Manager, Sláinte Healthcare

James joined Sláinte Healthcare in January 2010. As Client Services Manager, he was responsible for the day-to-day implementation, technical support and rollout of company solutions. In 2012, James was promoted to the position of Technical Solutions and Services Manager. He is responsible for leading the teams that develop product apps, integration, product deployment and technical support. James has over 10 years’ experience in management and problem solving. He completed a Bachelors (Honours) Degree in Digital and Software Systems Engineering and a Masters in Applied Computing in which he obtained a first class honours.

https://ie.linkedin.com/in/james-heslin-6aa276b