It's really not surprising that 83 percent of healthcare organizations use the cloud to store electronic health record information or other data, as reported this week by HIMSS Analytics. As their new survey points out, hospitals and other providers using cloud EHR vendors have lower maintenance costs, faster deployment and fewer internal IT staffing needs. Moreover, HIMSS Analytics reports that even more providers will flock to the cloud, and those already using it will expand that use.
It's like BlackBerry vs. iPhone or, for those who remember, Beta vs. VHS. If one technology overshadows the other, the lesser one becomes outdated, less popular and will eventually be put out to pasture.
But what are the implications of this development? What happens if almost all EHR and related records end up in the cloud?
The downside to almost exclusive use of the cloud is that, like it or not, there are still looming privacy and security concerns. Electronic patient information isn't necessarily safer on a provider's in-house server, however, there's something inherently disconcerting about one's records being "out there" with little or no control about how well the cloud vendor is guarding it.
The respondents to the HIMSS Analytics survey acknowledged their concerns about keeping their records safe, and cited security, as well as a vendor's willingness to sign a business associate agreement, as key considerations in choosing with which cloud vendor to contract.
But I fear that is not enough, considering that the status of healthcare security is "alarming." I don't want more providers to suffer data breaches. Heck, I don't want my own records vulnerable in a cloud. Forget opt-in and opt-out with health information exchanges; patients have no choice if a provider moves to a cloud EHR vendor.
I suggest that three steps be taken now to better protect this data:
Take a hard look at what actions cloud EHR vendors are taking to secure patient data: What physical, technical and administrative safeguards are being used? When was the last time the vendor conducted a risk analysis of vulnerabilities, a requirement of HIPAA? When was the last time a provider included an assessment of its cloud provider in its own risk analysis? What happens if the cloud vendor suffers a breach? Who cleans up the problem, notifies patients, offers free credit monitoring, and the like?
Require fairer contracts between cloud vendors and providers: Cloud vendor contracts can be very one sided, limiting liability, requiring the provider to indemnify the provider and even restricting the type of legal action the provider can against the vendor. Since providers have so little control over their records in the cloud, the vendors need to be more accountable and responsible.
Ensure stronger regulatory authority: We seem to be at a crossroads here. Ironically, the Office of the National Coordinator for Health IT is losing funding and senior staff, and having its authority to regulate health IT challenged just as the need to better supervise data in the cloud is rising. The U.S. Department of Health and Human Services Office of Inspector General has added EHRs and cloud vendors to its work plan, but that's not enough. If ONC isn't going to spearhead governance of patient EHR data in the cloud, should the U.S. Food and Drug Administration, the Centers for Medicare & Medicaid Services, the HHS Office for Civil Rights or even the Federal Trade Commission do so?