Cloud-based EHRs raise unique HIPAA challenges

Cloud-based electronic health record systems have become increasingly popular. But they raise security issues that providers need to address, according to attorney Howard Burde, speaking at the 20th National HIPAA Summit in Washington, D.C. this week.

"The healthcare information is stored, used, and analyzed remotely from the users, and accessed through the Internet," Burde said. "It's going somewhere you don't know."

Some security issues that are particularly acute in cloud computing, according to Burde, include:

  • Access to data, back-up plans, and business continuity in the event of a disaster 
  • What security incident procedures are in place in the cloud
  • How physical access to the server in the cloud is limited

Burde recommended that providers need to conduct security management analysis of the cloud--which includes the ability to audit the cloud provider--to ask if its workforce is adequately trained in HIPAA, and a way to evaluate how the data is kept secure.

"You need to do a stress test analysis of the cloud," he said.

Part of the problem, Burde added, is not the cloud itself, but the data residing in the EHR or other device, since breaches there can provide others with access to the cloud and the data stored.

Such concerns become even more compelling as cloud computing becomes more prevalent, according to Burde.

"Without the cloud, it's too expensive for a majority of providers to not only meet Meaningful Use, but to avoid malpractice and to provide appropriate care," he said. "They need access through the Internet to other clinical information."