One weekend afternoon last fall, a burglar broke into an office and stole some computer equipment. That fairly commonplace crime resulted in one of the biggest patient health data breaches in history. Probably without knowing it, the thief snatched a computer whose hard drive contained more than 4 million unencrypted patient medical records, including names, addresses, birth dates, phone numbers, email addresses, medical record numbers, diagnoses and other information. Shortly afterward, 11 class action lawsuits were filed on behalf of those patients, seeking more than $1 billion in damages. It was a costly misadventure – and, worse, entirely avoidable.
[Related: How cloud computing can bring expenditure agility to agency budgets.]
Such data breaches are all too common. While anonymous hackers may strike the most fear regarding health data theft, research and surveys show that old-fashioned larceny, human error and insider misdeeds pose bigger threats. Most patient health information breaches involve mistakes or thefts that originate on the inside of a health enterprise.
Yet, healthcare organizations continue to prefer computer systems that are extremely vulnerable to data breaches caused by equipment loss, theft and insider misconduct. Cloud-computing systems can be designed to be safer than traditional client-server systems against the prevailing causes of healthcare data breaches. But while adoption of cloud computing is growing in healthcare, the vast majority of hospitals and healthcare systems still use client-server systems, almost universally for enterprise-wide electronic medical records.
These systems center on local servers, usually housed in poorly-secured server rooms, directly accessed by desktop computers and laptops scattered throughout the enterprise. Patient health data is routinely downloaded and uploaded back and forth from desktop and laptop computers to the local servers.
Many healthcare administrators like client-server systems because they feel safer keeping their patient data within reach. But that’s like hiding money in your mattress and feeling like it’s safer than in a bank. You can’t keep an eye on that mattress all the time, nor can health system personnel keep watch over every piece of equipment and every computer disk or tape that might contain patient health records. Secure private cloud is like taking money out of your mattress and putting it into a bank.
Banks have been using various forms of secure private cloud and web-based systems for a few years, in fact, and so have the Defense Department and military contractors. Banks run their own secure clouds for various financial services, though a Bank of America senior vice president recently said that secure private clouds operated through bank-vendor partnerships are not far off.
An article in Defense Systems in January, meanwhile, stated bluntly: “Virtually all defense organizations and intelligence agencies are turning toward cloud computing for everything from satellite imagery to telecom traffic to Web content.” Other industries are moving to cloud computing for costs, scalability and computing power, and security is not a barrier for them against cloud adoption. If secure private cloud can be safe enough for your money and your national security, surely it can be safe enough for your patient health data.
[See also: With eye on public health, Delaware, Michigan roll out clouds.]
When making comparisons between client-server and secure private cloud systems, I’m not talking about the public cloud. The difference is critical. A secure private cloud system is built around a high-security private database, networked to users through web-based software-as-a-service (SaaS), where each client’s data is protected in its own database schema. Public cloud refers to storage infrastructure available to the general public where data may be stored in various database locations depending on availability. Patient health information should not reside in a public cloud.
For health records, Web-based secure private cloud systems include a fundamental security feature that highlights perhaps the most severe problem with client-server systems. In web-based secure private cloud, patient information need never reside on PCs, laptops or other user hardware, so it remains safe in case of equipment loss or theft.
Web-based secure private cloud also better addresses the insider threat to patient data from disgruntled employees – or even larcenous employees – or from patient-record snoopers and human error, the simplest of which can lead to disastrous results. The security differences between secure private cloud and client-server systems come down to the proximity of sensitive data to those who might misuse it, the number of people who have access and the number and safety of access portals. Far from lacking in security – the prevailing fear in healthcare and elsewhere – secure private cloud can provide better physical security and equal or better cyber security when compared to traditional client-server computing systems. The next two parts of this series will look at physical and cyber security of secure private cloud for patient health data.
Craig K. Collins is President & CEO of Perminova Inc.
Related coverage:
Q&A: Michigan's journey to cloud engagement
HIT makeover, public health style
Cloud, mobile tech's on display at Government Health IT conference
NASCIO's 12 tips for states considering the cloud
NIST's 10 cloud computing requirements
