Tumult in the Clouds
by
Brendon Nafziger, DOTmed News Associate Editor | April 29, 2010
But asks Dixon, "Is a cloud provider a business associate? There's a lot of discussion about that."
"Here's where the rub is," she says. "A health care provider subject to HIPAA absolutely may not store a patient record in a storage business without that business associate agreement. But what are those cloud provider's terms of service? We've seen TOS that basically say we can publish any information for ad-serving purposes stored on our network. That doesn't jibe with HIPAA," she notes.
Nonetheless, Dixon acknowledges that electronic health records - perhaps stored in the cloud - are the future. Because of these complexities of complying with HIPAA, she believes there could be a place for specialty cloud providers working in the medical field who promise, for instance, not to offshore HIPAA-covered sensitive patient medical records.
Economies of scale
Yet, despite its risks, in many ways cloud could, ultimately, improve security.
"It's about separating fact from perception," Kermani says. "The perception is if it's outside of my walls it's less secure, but that's not entirely true."
After all, most data loss from hospitals or insurers has been through hardware theft, not cyber break-ins. As Practice Fusion's Peters puts it, "It's much easier to have a computer lost or stolen than to have someone go Mission Impossible and hack into your system."
But the main reason for beefier security is econ 101: economies of scale. A cloud provider can devote the resources to creating a world-class security system that would be impossible for a slew of smaller health care centers.
"If you pick the right [cloud] provider, they've spent a lot of money making sure the data center is secure, whereas if you put it in the data guy's closet, and he forgets to lock his door or he gets fired, and takes the keys and takes the tapes away, it's a lot less secure," Bycast's Kermani says.
For instance, Practice Fusion's CEO Howard tells DOTmed News that his company provides what he calls Fortune 500-level physical security. Data sites allow access only after employees undergo a biometric (thumbprint) scan, and all client data are stored in disaster-resistant cages.
Cloud provider Nirvanix says it also employs so-called Tier III data centers, a classification that ensures point-in-time redundancy copies of all datasets, power supply back-ups, reliable network connections and disaster-recovery protections. As with many of the cloud providers, Nirvanix sends all data over virtual private networks. These networks are shared circuits that limit access only to those parties sending and receiving.