Feature | February 18, 2011 | Katherine Leslie, B.S., RDMS, CRA, RT, (R) (CT), imaging services director, Central Peninsula Hospital

Cloud-Based Healthcare Information Sharing

Feeling secure about security

From Skype to Gmail to Facebook, more and more computing is moving to the cloud. Cloud-based computing refers to hosted services that provide applications, data storage and even processing power to subscribers. The subscriber’s sole information technology (IT) requirement: A computer connected to the Internet. If the host charges fees for their service (as Skype does for computer-to-phone calls), those are usually assessed on a per-usage basis, much like electric service.

Where Skype and company have gone, healthcare IT has followed. For example, in the last year or so, several cloud-based services emerged for sharing radiology imaging files and related data via the Internet.

These services have numerous advantages. Most importantly, they overcome what had been a substantial barrier in healthcare: the inability to conveniently share radiology between proprietary IT systems that don’t “talk to each other.” They also save facilities the capital investment expense of installing new IT infrastructure, a boon in particular for smaller operations, such as community hospitals and physician offices. In many cases, there is not even software to purchase. The per-use charges also add to the scalability.

But as controversies with Facebook suggest, there are security concerns with the cloud as there are with any form of computing. For reasons ranging from confidentiality to Health Insurance Portability and Accountability Act (HIPAA) to shielding data for competitive reasons, no medical facility can afford the lax security conditions. On the contrary, data must be shared in a way that meets a facility’s security requirements and government regulations. The stakes are high. With breaches of HIPAA, both healthcare providers and technology vendors are equally accountable and each breach is individually actionable. States might also take action against violators. In November 2010, the California Department of Public Health levied eight fi nes, ranging from $5,000 to $225,000, against six hospitals and a nursing home for failure to secure protected health information, a violation of state laws passed two years earlier.

As one of the country’s “Most Wired Hospitals and Health Systems” for 2010 (named by Hospitals and Health Networks), Central Peninsula Hospital in Soldotna, Alaska, does not take a back seat to anyone when it comes to IT security. The hospital also is an early adopter in using a cloud-based service – eMix by DR Systems – to exchange radiology data.

As a small, rural hospital in a remote area, we generally have to send our most seriously ill patients to large urban facilities that are properly staffed and equipped. In emergency situations especially, it is crucial that these patients’ radiology data get to those hospitals in a timely manner to expedite diagnosis and treatment.

Cloud-based information exchange has been an important addition for us in that regard. It is simple and straightforward to use – more or less like sending an e-mail. It is far superior to burning imaging files and reports on CDs, a process still used even at many otherwise sophisticated hospitals. Burning CDs is time- and labor-intensive. The CDs must be sent to their destination by relatively slow and sometimes costly means, such as express mail, courier or sending them with the patient. Sometimes when the CDs arrive, the staff can’t open the files on them and the whole process has to be repeated.

As an end-run around CDs, some institutions have created virtual private networks (VPNs) with other facilities. While VPNs do enable electronic exchange of data, they are costly and labor-intensive to maintain. Plus, they are one-to-one arrangements. If Hospital A wants to share data with Hospitals B and C, it would need a separate VPN for each of them. Cloud-based services face no such limitation and they are maintained by the host vendor.

With regard to security, VPNs present daunting risks. Consider again the VPN that Hospital A establishes with Hospital B. That VPN is essentially a pipe connecting Hospital B to A’s internal IT network. Through that pipe, B has access to unrelated data, as well as the specific files of interest. Cloud-based data exchange services do not create this sort of access. Only files of interest are shared.

That said, not all cloud-based data exchange services are equal. We had very specific security requirements that we insisted be met before selecting a vendor. Those criteria concern data in transit and data at rest, both of which are vital to protect.

Following are the criteria we required and that we recommend for other institutions that consider entering the cloud:

Protection against malicious penetration of the network. We wanted to see multiple firewalls so the content and database servers were independently protected. We also required intrusion detection monitoring around the clock.

Data encryption. Multiple firewalls are necessary, but not sufficient. It is an industry standard that healthcare information be encrypted so if an attacker captures data in transit, the data will be impossible to read. Our vendor transmits data using SSL (Secure Sockets Layer), a protocol meeting this requirement.

Data redundancy. Obviously, it is mandatory that your vendor have protection against data loss from hardware or software failures by having redundant data residing on other content servers, database servers and Web-servers.

Physical security. Electronic security must be complemented by physical security. Our vendor’s servers are located in a data center that only a very few authorized staff are allowed to enter, and even those personnel must confirm their identify via a biometric (palm print) scan.

Limited access at member institutions. In our case, we wanted to see limitations imposed by the vendor on who could use the service. We needed to feel secure about who had access to the service outside of our control. Our vendor requires every authorized institution designate an administrator who is responsible for determining who will be verified users at that institution. Only those verified users are then allowed access to the service.

Password access. Even verified users should only be able to gain access to the service by entering a complex password.

Data tracking and recovery. If data is lost due to a hardware/ software failure on the user side, the vendor should have a dependable means for recovering it. Our vendor tracks and audits all transactions between its clients and servers, both locally at the user institution and at its own central database. This approach ensures data recovery.

Protection against malicious recipients. All new recipients of electronically shared data should have to verify their identity in a way that confirms their legitimacy.

Information security agreement. We recommend all user institutions insist on a so-called “infosec” agreement or interactive disassembler (IDA) with their information exchange vendor.

With all of these criteria met, we feel extremely secure about using a cloud-based system to share confidential medical data. By taking the same care in planning, we believe other institutions can as well.

Editor’s note: Katherine Leslie, B.S., RDMS, CRA, RT, (R) (CT) is imaging services director at Central Peninsula Hospital in Soldotna, Alaska.

Related Content

Sponsored Content | Videos | Enterprise Imaging | February 20, 2019
At RSNA 2018, Philips Healthcare introduced Performance Bridge as an integral part of its IntelliSpace Enterprise Edi
Amazon Comprehend Medical Brings Medical Language Processing to Healthcare
News | Artificial Intelligence | February 15, 2019
Amazon recently announced Amazon Comprehend Medical, a new HIPAA-eligible machine learning service that allows...
Fujifilm Exhibits Enterprise Imaging Solutions and Artificial Intelligence Initiative at HIMSS 2019
News | Enterprise Imaging | February 15, 2019
Fujifilm Medical Systems U.S.A. Inc. and Fujifilm SonoSite Inc. showcased their enterprise imaging and informatics...
IBM Watson Health Announces New AI Collaborations With Leading Medical Centers
News | Artificial Intelligence | February 14, 2019
IBM Watson Health announced plans to make a 10-year, $50 million investment in research collaborations with two...
Medivis Launches SurgicalAR Augmented Reality Platform
Technology | Advanced Visualization | February 14, 2019
Medical imaging and visualization company Medivis officially unveiled SurgicalAR, its augmented reality (AR) technology...
Office of the National Coordinator Releases Proposed Rule on Healthcare Data Interoperability
News | Information Technology | February 14, 2019
The U.S. Department of Health and Human Services (HHS) has proposed a new rule to support seamless and secure access,...
Siemens Healthineers Demonstrates Artificial Intelligence, Healthcare Digitalization at HIMSS19
News | Artificial Intelligence | February 13, 2019
February 13, 2019 — At the 2019 Healthcare Information and Management Systems Society (HIMSS) global conference and e
PaxeraHealth Launching Universal Image Sharing Platform at ECR 2019
News | PACS Accessories | February 13, 2019
PaxeraHealth will launch the PaxeraShare image sharing platform at the 2019 European Congress of Radiology (ECR) annual...
NVIDIA Explores Role of AI, Analytics and Virtualization in Healthcare at HIMSS19
News | Artificial Intelligence | February 13, 2019
Digital technology company NVIDIA will highlight its newest partnerships to advance the digital transformation of...
Patients and surgeons at Hoag Memorial Hospital are looking at virtual reality reconstructions (right) over conventional 2D images

Slice v 3D: Patients and surgeons at Hoag Memorial Hospital are looking at virtual reality reconstructions (right) over conventional 2D images. Images courtesy of Hoag Memorial Hospital

Feature | Information Technology | February 13, 2019 | By Greg Freiherr
The same virtual reality (VR) reconstructions that surgeons use to plan and rehearse brain surgeries at Hoag Memorial