Can 'clouds' protect patient data from security breaches?

While cloud-based electronic health records (EHRs) have received a fair amount of publicity lately, nagging questions accompany their discussion: Are cloud-based EHRs protected from security breaches as they run across the Internet to off-site servers? Or are on-site systems the better bet for ensuring data protection?

An online study by the consulting firm, Software Advice, poses an interesting perspective on this issue this week. Author Michael Koploy, an analyst, notes that he and his colleagues speak on the phone daily with physicians who are researching EHR software. Much of the time, they hear the physicians say how afraid they are to switch to a system that puts their health data far away into the "clouds" where they could be hacked.

To determine whether those concerns are justified, Koploy looked into areas where patient data have been breached. The tool he used was the online data set compiled by the Department of Health and Human Services' Office of Civil Rights on breaches affecting 500 or more individuals.

Better known as the "Wall of Shame," it currently contains 288 security violations under the Health Insurance Portability and Accountability Act (HIPAA), starting in October 2009.

Looking at the data, physical theft and loss actually accounted for most of the reported breaches (63 percent). This was followed by unauthorized access or disclosure, which accounted for another 16 percent. However, hacking only accounted for 6 percent.

Koploy said he was surprised to find that the vast majority of HIPAA violations weren't "instances of professional hacking or Ocean's 11-esque intrusion." Instead, most data breaches were related to poor internal security, petty theft, or negligence. This held true even for the largest violations on record, he said.

When it came to where the breaches occurred, problems with electronic storage devices, such as hard drives (at 54 percent) and use of paper records (at 21 percent) were the most common breach locations.

Only seven breaches, as indicated by the HHS site, wholly or partially involved EHRs. When Koploy dug a little deeper to see whether the EHR violations involved on-premise systems or systems based in the cloud, he found that all violations involved on-premise violations.

For example, one case affecting 1.7 million patients resulted from a hard drive stolen from the back of a van. Another, with 2,000 patients affected, was related to the hacking of an on-site system server. And more than 1,700 patient records were breached by an employee using a facility's on-site system.

Although the data do not prove that EHRs can't be hacked on a cloud-based system, they do provide some vindication for the cloud, Koploy said. It seems to be paper records and portable devices are the weakest link in HIPAA security, he observes.

"HIPAA violations aren't happening in the cloud. Rather, they're happening in the doctor's office, hospital IT closets, cars, subways, and homes," he said.

To avoid breaches, providers still will need to take precautions, such as training staff on the necessary security measures to make sure patient privacy is respected. But the best advice for EHR users everywhere, he said, is to lock your car when your computer is in it. It's good advice for us all. - Janice