EHR security: Are providers better off going to the cloud?

The jury is still out as to whether using cloud-based technology for an electronic health record system is better than systems that store data on-site. Cloud computing raises unique issues that providers need to be aware of, especially since it is becoming more common, according to attorney Chanley Howell of Jacksonville, Fla.-based law firm of Foley & Lardner.

"An EHR module, the whole EHR system or some component of the software could be in the cloud," Howell said during a webinar last week that focused on key legal issues raised by EHRs.

One of the biggest risks with cloud computing is the ability to keep the patient data private and secure. According to Howell, the amount of risk the cloud poses depends on the sensitivity of the data and the criticality of the service. "On a cloud risk assessment matrix, an EHR system will be high on both, so the protection of patient data must get close attention," he said. 

Comparatively, Facebook represents cloud computing with relatively low risk; medium risk cloud computing might be web conferencing or the management of customer leads.

While privacy and security of patient records can be compromised in both cloud and on-site EHRs, the former pose several issues not found elsewhere, according to Dan Orenstein, general counsel for EHR vendor athenahealth, who also spoke on the webinar. These risks include:

  • The cloud computing environment being more complex than one at a provider's site, which can leave it more vulnerable;
  • The larger attack surface of cloud computing;
  • The super-sensitive nature of health data in the cloud;
  • The security risks brought by "neighbors" in the cloud; if not separated on the vendor's server, such risks can compromise EHR data;
  • The loss of control of the data, which leaves it in the hands of outsiders that may or may not protect it.

"It's a leap of faith to delegate control [of health data] to a third party," Orenstein said. "It's a big issue."

Still, Orenstein acknowledges that there are some security advantages to cloud computing for EHRs, as well. For one thing, providers are buying staff specialization with the cloud, which provides more experience and economies of scale, which ultimately may make the cloud a safer place for storing patient data. This is particularly true for smaller providers who don't have the in-house IT capability to keep the data as secure. Cloud computing also typically provides a strong, more uniform platform, which, again, provides more security.

In addition, some vendors provide a built-in disaster recovery mechanism for data stored in the cloud, according to Orenstein, meaning the data is still available and recoverable in the event of a cyber attack or other event that bars the user from accessing the data.

Orenstein recommends that providers shopping for an EHR system ask vendors several pointed questions, no matter which type of system they're considering. Specifically, providers should:

  • Ask the vendor how their system keeps the data secure, including security coordination, risk assessments and management;
  • Ask the vendor if the system will share its statement of security measures;
  • Ask the vendor whether their system has disclosure recovery and business continuity programs, and how they operate.

What's more, if the provider has any concerns about the vendor's ability to keep the data secure, they should ask to speak with the vendor's clinical information security officer directly. - Marla