Cloud-Based Healthcare Information Sharing

From Skype to Gmail to Facebook, more and more computing is moving to the cloud. Cloud-based computing refers to hosted services that provide applications, data storage and even processing power to subscribers. The subscriber’s sole information technology (IT) requirement: A computer connected to the Internet. If the host charges fees for their service (as Skype does for computer-to-phone calls), those are usually assessed on a per-usage basis, much like electric service.

Where Skype and company have gone, healthcare IT has followed. For example, in the last year or so, several cloud-based services emerged for sharing radiology imaging files and related data via the Internet.

These services have numerous advantages. Most importantly, they overcome what had been a substantial barrier in healthcare: the inability to conveniently share radiology between proprietary IT systems that don’t “talk to each other.” They also save facilities the capital investment expense of installing new IT infrastructure, a boon in particular for smaller operations, such as community hospitals and physician offices. In many cases, there is not even software to purchase. The per-use charges also add to the scalability.

But as controversies with Facebook suggest, there are security concerns with the cloud as there are with any form of computing. For reasons ranging from confidentiality to Health Insurance Portability and Accountability Act (HIPAA) to shielding data for competitive reasons, no medical facility can afford the lax security conditions. On the contrary, data must be shared in a way that meets a facility’s security requirements and government regulations. The stakes are high. With breaches of HIPAA, both healthcare providers and technology vendors are equally accountable and each breach is individually actionable. States might also take action against violators. In November 2010, the California Department of Public Health levied eight fi nes, ranging from $5,000 to $225,000, against six hospitals and a nursing home for failure to secure protected health information, a violation of state laws passed two years earlier.

As one of the country’s “Most Wired Hospitals and Health Systems” for 2010 (named by Hospitals and Health Networks), Central Peninsula Hospital in Soldotna, Alaska, does not take a back seat to anyone when it comes to IT security. The hospital also is an early adopter in using a cloud-based service – eMix by DR Systems – to exchange radiology data.

As a small, rural hospital in a remote area, we generally have to send our most seriously ill patients to large urban facilities that are properly staffed and equipped. In emergency situations especially, it is crucial that these patients’ radiology data get to those hospitals in a timely manner to expedite diagnosis and treatment.

Cloud-based information exchange has been an important addition for us in that regard. It is simple and straightforward to use – more or less like sending an e-mail. It is far superior to burning imaging files and reports on CDs, a process still used even at many otherwise sophisticated hospitals. Burning CDs is time- and labor-intensive. The CDs must be sent to their destination by relatively slow and sometimes costly means, such as express mail, courier or sending them with the patient. Sometimes when the CDs arrive, the staff can’t open the files on them and the whole process has to be repeated.

As an end-run around CDs, some institutions have created virtual private networks (VPNs) with other facilities. While VPNs do enable electronic exchange of data, they are costly and labor-intensive to maintain. Plus, they are one-to-one arrangements. If Hospital A wants to share data with Hospitals B and C, it would need a separate VPN for each of them. Cloud-based services face no such limitation and they are maintained by the host vendor.

With regard to security, VPNs present daunting risks. Consider again the VPN that Hospital A establishes with Hospital B. That VPN is essentially a pipe connecting Hospital B to A’s internal IT network. Through that pipe, B has access to unrelated data, as well as the specific files of interest. Cloud-based data exchange services do not create this sort of access. Only files of interest are shared.

That said, not all cloud-based data exchange services are equal. We had very specific security requirements that we insisted be met before selecting a vendor. Those criteria concern data in transit and data at rest, both of which are vital to protect.

Following are the criteria we required and that we recommend for other institutions that consider entering the cloud:

• Protection against malicious penetration of the network. We wanted to see multiple firewalls so the content and database servers were independently protected. We also required intrusion detection monitoring around the clock.

• Data encryption. Multiple firewalls are necessary, but not sufficient. It is an industry standard that healthcare information be encrypted so if an attacker captures data in transit, the data will be impossible to read. Our vendor transmits data using SSL (Secure Sockets Layer), a protocol meeting this requirement.

• Data redundancy. Obviously, it is mandatory that your vendor have protection against data loss from hardware or software failures by having redundant data residing on other content servers, database servers and Web-servers.

• Physical security. Electronic security must be complemented by physical security. Our vendor’s servers are located in a data center that only a very few authorized staff are allowed to enter, and even those personnel must confirm their identify via a biometric (palm print) scan.

• Limited access at member institutions. In our case, we wanted to see limitations imposed by the vendor on who could use the service. We needed to feel secure about who had access to the service outside of our control. Our vendor requires every authorized institution designate an administrator who is responsible for determining who will be verified users at that institution. Only those verified users are then allowed access to the service.

• Password access. Even verified users should only be able to gain access to the service by entering a complex password.

• Data tracking and recovery. If data is lost due to a hardware/ software failure on the user side, the vendor should have a dependable means for recovering it. Our vendor tracks and audits all transactions between its clients and servers, both locally at the user institution and at its own central database. This approach ensures data recovery.

• Protection against malicious recipients. All new recipients of electronically shared data should have to verify their identity in a way that confirms their legitimacy.

• Information security agreement. We recommend all user institutions insist on a so-called “infosec” agreement or interactive disassembler (IDA) with their information exchange vendor.

With all of these criteria met, we feel extremely secure about using a cloud-based system to share confidential medical data. By taking the same care in planning, we believe other institutions can as well.

Editor’s note: Katherine Leslie, B.S., RDMS, CRA, RT, (R) (CT) is imaging services director at Central Peninsula Hospital in Soldotna, Alaska.