Venyu Blog

Despite the ubiquity of HIPAA regulations and HITECH legislation, best practices around where and how to store electronic health records (EHR) advocates continue to man ramparts on opposite sides of the internal and cloud computing fence.

The Internal Evangelists: (let’s keep EHR on-site):

According to this article in  Healthcare Realty, cloud computing “appears challenged” when confronted with processes such as electronic health records, inclusive of streaming MRIs and diagnostic visual matter. Costs accrue as increased bandwidth is required. In the instance of a “crash” fixing a cloud-based data server is supremely out of the hands of users. Moreover, maintaining all patient documentation in-house ensures facilities like hospitals that they are not only meeting the letter of the law (in this case, HIPAA), but also its spirit. By incorporating a data center from the start, new models for onsite medical office buildings including fire suppression systems and physical supports such as a backup power generator help to preserve the integrity of the data center as well as the data it contains. There is, suggests the anonymous author, something to be said for controlling your environment and your own destiny.

The External Evangelists (let’s move EHR to the clouds):

What Electronic health records require more than anything else – and this is certainly borne out by HIPAA and HITECH legislation is that they remain confidential and secure at all times. Cloud providers are often synonymous with their secure record-keeping characteristics, keeping unwanted visitors away and hackers fully at bay, something most hospitals – particularly as it applies to data security — are mostly ill-equipped to defend.  Moreover, in terms of physical infrastructure a cloud provider simply brings more to the table not only in terms of lockdown on-site security, but also alarms, air-conditioning, fire suppression systems, backup power and much more, again, facilities and their associated expense, not easily within the reach of most non-profit or many, for that matter, for-profit hospitals.

Indeed, taking up arms with my fellow cloud brethren I propose that there is even a school of thought that suggests having electronic health records “in clouds” fosters greater efficiencies both in terms of time to respond and determining how to remedy medical conditions in those instances when a patient is located remotely from his or her own primary physician. In such cases rapid access where the patient’s record is unavailable because it is “locked down” onsite in some physician’s office appears advantageous to the position of migrating such records to virtual, offsite cloud-based servers.

A Compromise?

Ultimately, the author comes down on the side of compromise, moving less complex, patient-dependent data to the cloud (e.g. email and payroll) and leaving more critical and complex software in-house, the goal being finding common ground for hospital and patient alike.

A complementary vision for the future of relocating electronic health care in the clouds is offered by George Hulme in this Network World Article, “Is Healthcare Security in Intensive Care?”

Hulme points out that the seemingly intrinsic quality of securing EHRs — offsite archiving —increasingly serves as THE benchmark for decision-making when it comes to deciding whether to keep patient records on-site. For example he cites the statistics that found since September 2009, when the government began tracking and publishing health breach cases consisting of more than 500 patient records, there have been 265 incidents affecting more than 10.8 million people. In other words, EHR backup in the cloud presents a steep learning curve often leaving hard lessons of trailing indicators behind it.

Moreover, experts interviewed by Hulme are finding increased demand for security services from the health care industry — everything from endpoint encryption and improved identity and security event management. One of these experts relates the anecdote of a health care facility that had placed regulated data on a server on its DMZ where it should not have been stored. In spite of this “teachable moment” it’s clear based on this example alone that education and training of staff are part and parcel of the EHR learning curve. “The challenge with security,” suggests this expert, “is that companies don’t think a breach will happen to them, and they don’t often take it seriously until there has been a breach.”  (Which, of course, I’ll point out is unconditionally and empirically irrelevant when that data has already been backed up into a cloud).

Ultimately, whether your health care facility favors a cloud-based or a more “parochial” (e.g. internal) approach to securing your electronic health records it’s clear that the dividing line between them continues to blur. For expert opinion and a full suite of tools to support your data backup needs, including electronic health records, contact Venyu today.