By Sam F. Khashman
Moving business to the cloud seems hip, fiscally astute, progressive, and innovative. Putting private business information (especially Protected Health Information or PHI) out on the Internet? No way. The problem is that “the public Cloud” is the Internet, repackaged and glitzed up, but still with the massive concerns for security, reliability (speed and access) and control. The cloud concept is actually one of the ideas that have survived the dinosaur era of computing as we understand it today. Depending on who gets the ultimate credit for “the Cloud,” the phrase is between 50 to 60 years old.
We all interact in the cloud, especially if we use Facebook or other social media. You want your medical or financial information on Facebook? Remember some of the revelations we’ve had about who is accessing what’s in your personal accounts (in spite of your privacy preferences)?
So let’s talk business for a minute. Radiology is a high-volume medical specialty, with the typical practice management system for a mid-sized hospital-based practice moving and storing millions of highly confidential transactions. The penalty for failing to maintain the security of these transactions can involve multi-million dollar fines and the publication of your organization on the Office of Civil Rights “list of shame” for security breaches involving more than 500 names. Since concerns for privacy and security have been a long-time bugaboo of the Web, (the Internet, the public Cloud) most organizations dealing with highly confidential financial information have so far declined to participate. There is a message in the fact that banks and credit card companies may add to their own internal clouds (private cloud) but they aren’t turning to the large-scale “we’ll take care of that for you” option of a public cloud-based alternative.
What do you need to know about the cloud in terms of your business?
- Know your terminology. There is a vast difference between a public Cloud and a private one, with the latter controlled by your own IT department, internal or external. The security implications vary greatly and you need to do your homework.
- The Cloud can work well for certain business applications, such as project collaboration, customer service, marketing communications and dashboards containing limited information. Transaction speed is not usually an issue in these situations, they are usually not business-critical if delayed or temporarily unavailable and security risks related to transmission or access to confidential information are measured.
- Security is an issue, with vulnerability to Internet-based cyber-attacks representing more than an imaginary plot for a fast-paced book or movie. And there are no sound industry predictions regarding whether Internet (Cloud) security will ever be successfully addressed. In fact, as Internet use expands so do the number and sophistication of intrusions.
- Control is relinquished. The Health Insurance Portability and Accountability Act (HIPAA) holds you responsible for the privacy and security of patient information—and contracting with someone else to accumulate, transmit and store that data does not absolve you of responsibility. The beauty of an Internet-based service is that is can occur literally anywhere in the world—and be subcontracted seamlessly. The curse of securing data with an Internet-based service is that it can be located anywhere in the world and subcontracted seamlessly—including in countries that do not comply with United States’ laws or standards for data security. And you may never know until something goes really wrong. (There is even more to consider in terms of control, but we’ll talk about that in another article).
- Reliability. There are several sub-issues involved here, including bandwidth and the periodic types of interruptions occurring with Internet-based services. However, the HIPAA regulations again become a potential issue. One of the mandated security plan requirements involves conducting a risk assessment of potential threats and then developing a plan to adapt to them. Included in this assessment would be vulnerability to natural disaster and if you don’t know where the “mother ship” servers are located, how can you assess threats and assume all protections are in place? And what if the servers are moved to a new location? Will you know? Can you be assured the site is in compliance with HIPAA? And in your HIPAA assessment of business continuity, how will your organization recover from a potential disruptive event that occurs thousands of miles away?
- Reputation. In any event, when patients become aware of their medical information being put on the Internet to save money you’ll likely have to spend the savings on PR so that your competition isn’t the only one benefiting.
We’ll talk in greater detail about some of the specific issues in upcoming blogs and articles. But the first step is to consider how important the following are to your business:
- Privacy and security controls (for a large volume of highly regulated personal financial/health information)
- Control is relinquished
- Transmission speed, whether posting a payment or scanning images
- Reliability. From local power outages to Federal HIPAA issues
Since each of these issues is of utmost concern to any radiology practice, it is unlikely the public Cloud yet offers a viable alternative, whether billing/collections transactions are involved or transmission of images. There is still too much risk and it only takes a brief Web-search to validate what industry leaders are saying. So far they are consistent. The public Cloud isn’t there yet and based on the nature of the Internet environment, it may never be.
So is there a place for the cloud? Absolutely. Non-business critical applications, data-sharing that doesn’t involve PHI, marketing and various types of communications—all can benefit from the Cloud concept.