Feature | February 18, 2011 | Katherine Leslie, B.S., RDMS, CRA, RT, (R) (CT), imaging services director, Central Peninsula Hospital

Cloud-Based Healthcare Information Sharing

Feeling secure about security

From Skype to Gmail to Facebook, more and more computing is moving to the cloud. Cloud-based computing refers to hosted services that provide applications, data storage and even processing power to subscribers. The subscriber’s sole information technology (IT) requirement: A computer connected to the Internet. If the host charges fees for their service (as Skype does for computer-to-phone calls), those are usually assessed on a per-usage basis, much like electric service.

Where Skype and company have gone, healthcare IT has followed. For example, in the last year or so, several cloud-based services emerged for sharing radiology imaging files and related data via the Internet.

These services have numerous advantages. Most importantly, they overcome what had been a substantial barrier in healthcare: the inability to conveniently share radiology between proprietary IT systems that don’t “talk to each other.” They also save facilities the capital investment expense of installing new IT infrastructure, a boon in particular for smaller operations, such as community hospitals and physician offices. In many cases, there is not even software to purchase. The per-use charges also add to the scalability.

But as controversies with Facebook suggest, there are security concerns with the cloud as there are with any form of computing. For reasons ranging from confidentiality to Health Insurance Portability and Accountability Act (HIPAA) to shielding data for competitive reasons, no medical facility can afford the lax security conditions. On the contrary, data must be shared in a way that meets a facility’s security requirements and government regulations. The stakes are high. With breaches of HIPAA, both healthcare providers and technology vendors are equally accountable and each breach is individually actionable. States might also take action against violators. In November 2010, the California Department of Public Health levied eight fi nes, ranging from $5,000 to $225,000, against six hospitals and a nursing home for failure to secure protected health information, a violation of state laws passed two years earlier.

As one of the country’s “Most Wired Hospitals and Health Systems” for 2010 (named by Hospitals and Health Networks), Central Peninsula Hospital in Soldotna, Alaska, does not take a back seat to anyone when it comes to IT security. The hospital also is an early adopter in using a cloud-based service – eMix by DR Systems – to exchange radiology data.

As a small, rural hospital in a remote area, we generally have to send our most seriously ill patients to large urban facilities that are properly staffed and equipped. In emergency situations especially, it is crucial that these patients’ radiology data get to those hospitals in a timely manner to expedite diagnosis and treatment.

Cloud-based information exchange has been an important addition for us in that regard. It is simple and straightforward to use – more or less like sending an e-mail. It is far superior to burning imaging files and reports on CDs, a process still used even at many otherwise sophisticated hospitals. Burning CDs is time- and labor-intensive. The CDs must be sent to their destination by relatively slow and sometimes costly means, such as express mail, courier or sending them with the patient. Sometimes when the CDs arrive, the staff can’t open the files on them and the whole process has to be repeated.

As an end-run around CDs, some institutions have created virtual private networks (VPNs) with other facilities. While VPNs do enable electronic exchange of data, they are costly and labor-intensive to maintain. Plus, they are one-to-one arrangements. If Hospital A wants to share data with Hospitals B and C, it would need a separate VPN for each of them. Cloud-based services face no such limitation and they are maintained by the host vendor.

With regard to security, VPNs present daunting risks. Consider again the VPN that Hospital A establishes with Hospital B. That VPN is essentially a pipe connecting Hospital B to A’s internal IT network. Through that pipe, B has access to unrelated data, as well as the specific files of interest. Cloud-based data exchange services do not create this sort of access. Only files of interest are shared.

That said, not all cloud-based data exchange services are equal. We had very specific security requirements that we insisted be met before selecting a vendor. Those criteria concern data in transit and data at rest, both of which are vital to protect.

Following are the criteria we required and that we recommend for other institutions that consider entering the cloud:

Protection against malicious penetration of the network. We wanted to see multiple firewalls so the content and database servers were independently protected. We also required intrusion detection monitoring around the clock.

Data encryption. Multiple firewalls are necessary, but not sufficient. It is an industry standard that healthcare information be encrypted so if an attacker captures data in transit, the data will be impossible to read. Our vendor transmits data using SSL (Secure Sockets Layer), a protocol meeting this requirement.

Data redundancy. Obviously, it is mandatory that your vendor have protection against data loss from hardware or software failures by having redundant data residing on other content servers, database servers and Web-servers.

Physical security. Electronic security must be complemented by physical security. Our vendor’s servers are located in a data center that only a very few authorized staff are allowed to enter, and even those personnel must confirm their identify via a biometric (palm print) scan.

Limited access at member institutions. In our case, we wanted to see limitations imposed by the vendor on who could use the service. We needed to feel secure about who had access to the service outside of our control. Our vendor requires every authorized institution designate an administrator who is responsible for determining who will be verified users at that institution. Only those verified users are then allowed access to the service.

Password access. Even verified users should only be able to gain access to the service by entering a complex password.

Data tracking and recovery. If data is lost due to a hardware/ software failure on the user side, the vendor should have a dependable means for recovering it. Our vendor tracks and audits all transactions between its clients and servers, both locally at the user institution and at its own central database. This approach ensures data recovery.

Protection against malicious recipients. All new recipients of electronically shared data should have to verify their identity in a way that confirms their legitimacy.

Information security agreement. We recommend all user institutions insist on a so-called “infosec” agreement or interactive disassembler (IDA) with their information exchange vendor.

With all of these criteria met, we feel extremely secure about using a cloud-based system to share confidential medical data. By taking the same care in planning, we believe other institutions can as well.

Editor’s note: Katherine Leslie, B.S., RDMS, CRA, RT, (R) (CT) is imaging services director at Central Peninsula Hospital in Soldotna, Alaska.

Related Content

FDA Clears Bay Labs' EchoMD AutoEF Software for AI Echo Analysis
Technology | Cardiovascular Ultrasound | June 19, 2018
Cardiovascular imaging artificial intelligence (AI) company Bay Labs announced its EchoMD AutoEF software received 510(...
New U.S. Tariffs on Chinese Goods Include Imaging Equipment
News | Radiology Business | June 15, 2018 | Jeff Zagoudis, Associate Editor
The Office of the U.S. Trade Representative (USTR) released the much-anticipated list of Chinese-manufactured goods...
News | Remote Viewing Systems | June 14, 2018
International Medical Solutions (IMS) recently announced that the American College of Radiology (ACR) added IMS'...
Wake Radiology Launches First Installation of EnvoyAI Platform
News | Artificial Intelligence | June 13, 2018
Artificial intelligence (AI) platform provider EnvoyAI recently completed their first successful customer installation...
How AI and Deep Learning Will Enable Cancer Diagnosis Via Ultrasound

The red outline shows the manually segmented boundary of a carcinoma, while the deep learning-predicted boundaries are shown in blue, green and cyan. Copyright 2018 Kumar et al. under Creative Commons Attribution License.

News | Ultrasound Imaging | June 12, 2018 | Tony Kontzer
June 12, 2018 — Viksit Kumar didn’t know his mother had...
Zebra Medical Vision Unveils AI-Based Chest X-ray Research
News | Artificial Intelligence | June 08, 2018
June 8, 2018 — Zebra Medical Vision unveiled its Textray chest X-ray research, which will form the basis for a future
Konica Minolta Launches AeroRemote Insights for Digital Radiography
Technology | Analytics Software | June 07, 2018
Konica Minolta Healthcare Americas Inc. announced the release of AeroRemote Insights, a cloud-based, business...
Vinay Vaidya, Chief Medical Information Officer at Phoenix Children’s Hospital

Vinay Vaidya, Chief Medical Information Officer at Phoenix Children’s Hospital

Sponsored Content | Case Study | Artificial Intelligence | June 05, 2018
The power to predict a cardiac arrest, support a clinical diagnosis or nudge a provider when it is time to issue medi
How image sharing through a health information exchange benefits patients while saving time and money is depicted in this slide shown at HIMSS 2018. Graphic courtesy of Karan Mansukhani.

How image sharing through a health information exchange benefits patients while saving time and money is depicted in this slide shown at HIMSS 2018. Graphic courtesy of Karan Mansukhani.

Feature | Information Technology | June 05, 2018 | By Greg Freiherr
A regional image exchange system is saving lives and reducing radiology costs in Maryland by improving the efficiency
Using Imaging Analytics for Radiology, VCU Health in Richmond, Va., has developed a dashboard to view turnaround time analysis. This functionality allows drill down for each technologist and radiologist and looks at the different steps of the imaging cycle.

Using Imaging Analytics for Radiology, VCU Health in Richmond, Va., has developed a dashboard to view turnaround time analysis. This functionality allows drill down for each technologist and radiologist and looks at the different steps of the imaging cycle.

Sponsored Content | Case Study | Information Technology | June 05, 2018
Sharon Gibbs, director of the radiology department at VCU Health in Richmond, Va., aims to provide quality, timely and...
Overlay Init