At a U.S. Senate hearing on health data security last fall, the director of the Health Privacy Project for the Center for Democracy & Technology told a rather amazing fact: "The healthcare industry appears to be rarely encrypting data."
With all the data breaches in the news, it’s remarkable that encryption isn’t universal. The three biggest data breaches ever, involving a total of 8 million patients, were caused by loss of disk drives and backup disks full of unencrypted data. With client-server computing systems traditionally used in healthcare, computer hardware and backup disks containing patient records are very vulnerable to theft and loss. And since patient data tables on these devices and media are usually unencrypted, they can be easily read by anybody who gets their hands on them.
[Patient records in the cloud, part 2: Glimpse inside a secure, private datacenter.]
That isn’t optimum data security. As I pointed out in the first two sections of this series, physical security of data can be superior with web-based secure private cloud systems compared to client-server systems. Cyber security can also be as good or better, with multiple layers of security utilized. Encryption is a good example. Healthcare executives wouldn’t have to worry about unencrypted data falling into the wrong hands if their electronic health record systems automatically encrypted for them. With web-based private cloud computing, data can be automatically encrypted end-to-end.
Encryption can compromise data access speeds, and since most healthcare enterprises use client-server systems with in-house servers, health IT managers may think they don’t have that problem because patient records are always supposed to remain inside. But the rise in data breaches caused by loss and theft of equipment and insider access issues shows that in-house data is sometimes anything but. In secure private cloud systems, encryption is the norm because engineers know that data will traverse a physical medium outside of the enterprise, so they prepare appropriate and effective security. Regarding the problem of encryption and data access speeds, web-based secure private cloud systems have capabilities to encrypt data on field-by-field basis, which can ensure rapid operational speed.
Typically, data pulled or transmitted from a secure private cloud system using browsers can be automatically encrypted via industry- and HIPAA-standard 128/256-bit SSL encryption. So, even if hackers are sniffing around a healthcare enterprise’s data traffic, it will just look like gibberish. All in-bound data can be transferred from hospitals and health enterprises to the secure private cloud using a VPN tunnel. Inbound data is sent from an Internet browser to the database using Secure Sockets Layer, commonly known as SSL.
Another important security layer includes strictly-limited user roles for each identifying password. Access to data can be restricted to each user’s role, set through careful planning by healthcare system administrators and implemented by vendor and customer together. Access to patient health data can be specifically tailored through the software-as-a-service among doctors, nurses, technologists and other staff so nobody has access to data they should not.
No data security protocols are 100 percent guaranteed; the best we can ever do is continually ratchet down the percentage risk of a breach. But even this can be much more easily accomplished with web-based secure private cloud systems, where ease of implementation also provides an important security feature. Installation and upgrades are much easier and quicker compared to client-server systems because no new hardware is needed and everything can be done over the Internet. Massive software updates conducted by an army of on-site consultants are not necessary. In the same way, customized security features can be easily built into the system up-front and then fine-tuned as new exigencies arise. Security problems can be fixed overnight instead of taking months to resolve, during which time vulnerabilities can be exploited.
An example of a security feature that can be built in when designing a system could include a minimal-exposure rule. If a data set is requested by the hospital, a minimal-attribute data set can be created and delivered with patient health information keys in a separate, encrypted table. An additional password can be required to merge the data subset with the PHI table.
[Part 1: Money in a mattress: Why patient records should move to a private cloud.]
An obvious data security factor is that reputable secure private databases have a critical mass of security experts working to protect data. Even in the biggest healthcare systems and hospitals, there may be one position dedicated to data security, while usually the responsibility falls to the overall IT staff, which also has many other responsibilities. At a secure private database, almost the entire staff is made up of security experts, and that’s pretty much all they do. The security of your data is the top priority.
Other touted benefits of cloud computing – lower long-range costs, virtually unlimited capacity and computing power, and ability to create and store flexible data for research – are vital arguments for adoption in the healthcare industry, just like in other industries. And healthcare IT managers understand the benefits: a KLAS report earlier this year showed that 60 percent say cost savings would be the greatest benefit of cloud-computing adoption. The same report found that many health IT managers are in no rush for cloud adoption because they have more pressing problems right now, such as meeting Stage 2 Meaningful Use criteria and wrestling with ICD-10.
Resistance may be crumbling to cloud computing in healthcare. Until now, safety concerns and the desire to hide money in the mattress have led healthcare decision-makers to stick with client-server computing systems with in-house servers that create unnecessary vulnerabilities to data breaches. Fears about data security and secure private cloud systems can and should be put to rest.
Craig K. Collins is President & CEO of Perminova Inc.
Related coverage:
Q&A: Michigan's journey to cloud engagement
HIT makeover, public health style
Cloud, mobile tech's on display at Government Health IT conference
NASCIO's 12 tips for states considering the cloud
NIST's 10 cloud computing requirements
