Clouds in healthcare should be viewed as ominous

Cosette's song "Castle on a Cloud" in the musical Les Miserables extols the virtues of being on the cloud. The cloud is a warm memory, inviting and nurturing, a safe haven.

But the more I hear about clouds and electronic health records, the more I fear the cloud. It's surely no safe haven for patient information; to the contrary it is especially vulnerable to security breaches. A lot of EHR vendors that offer cloud-based EHR systems don't take measures to keep patient data safe. Many of them don't think they have to comply with HIPAA's privacy and security rules, and many of their provider clients aren't requiring their vendors to do so. What's more, they're not signing business associate agreements, and some providers don't even raise the issue with their cloud EHR vendors.  

"There's a lot of ignorance regarding safety and privacy of these [cloud] technologies," Deborah Peel, MD, founder of advocacy organization Patient Privacy Rights tells FierceEMR in an exclusive interview.

For instance, the Phoenix-based cardiology practice that was fined $100,000 for posting unsecured patient information online was using a cloud-based product, Peel says.  

That's not the only problem with cloud-based EHRs and other health IT. Many providers have no idea where the vendor is hosting the providers' patient data. It could be housed in a different state; or even outside of the country, leaving it even more vulnerable. "If the cloud vendor won't tell you where the information is, walk out the door," Peel says.

Then there's the problem of what happens to your data when your contract with the cloud vendor ends. Providers don't pay attention to that when they sign their EHR contract, Peel warns.

Look at what happened when Allscripts discontinued its MyWay EHR product in October. Physicians that opted to find a new EHR vendor rather than transition to a different Allscripts product are being assessed thousands of dollars to get their data back, according to a new lawsuit filed against the company.

"They're holding the data captive," Peel says.

But it's the overreaching by cloud EHR vendors from a consumer standpoint that really makes my hair stand on end. According to Peel, some vendors are mining the patient data they're storing and selling it. At least one health information exchange is storing its data in a cloud owned by Aetna, which means that the insurer now will be able to data mine nonmembers' information. And providers who can access records via these clouds are reading patients' entire records, not just the relevant portions to treat the patients, which arguably is not their business.

Our secrets are lawfully in the hands of people we never even contemplated would be able to access them. The whole concept of patient consent to release their information has fallen by the wayside.

And of source the ultimate victims of a breach of cloud-based patient information are the patients, whose confidential information has been compromised.

"The cloud can be a good place for health information if you have iron clad privacy and security protections," Peel says. "[But] people shouldn't have to worry about their data wherever it's held."    

Castle on a cloud? Only if it has a very large moat. - Marla (@FierceHealthIT)