Healthcare, Cloud, and Cybersecurity – A Complex Issue
The healthcare industry poses one of the toughest challenges to cybersecurity due to the extremely sensitive nature of its data. Is the cloud safe enough for healthcare?
Join the DZone community and get the full member experience.Join For Free
There is a nearly inexhaustible list of reasons as to why the healthcare industry has been introducing cloud solutions at an increasingly rapid rate for some time now. Some of these reasons have to do with improving patient outcomes and providing superior care for patients and future patients. Other reasons have to do with market realities and the need to provide care for an increasing number of patients using the same (or even smaller) amount of resources.
A big part of this ongoing transition of healthcare IT systems to the cloud has been the issue of security, for understandable reasons. Various healthcare entities handle copious amounts of extremely sensitive patient data and putting this data in jeopardy would invalidate the many benefits that switching to the cloud would bring to healthcare.
A Smorgasbord of Acronyms
In order to begin to find one's way around matters related to healthcare IT and its transitioning to the cloud, one needs to get familiar with more than a few acronyms which are ubiquitous. Here is a list of the most important of them, together with some basic info, for your reference:
- HIPAA – The Health Insurance Portability and Accountability Act of 1996, an act that established national standards for the protection of health information as it goes digital. Its two main parts are the HIPAA Privacy Rule and the HIPAA Security Rule.
- HHS – The U.S. Department of Health and Human Services, the government agency that came up with HIPAA.
- OCR – The Office for Civil Rights, the agency responsible for enforcing HIPAA's privacy and security rules.
- HIT – Healthcare IT.
- PHI and ePHI – Protected Health Information and Electronically Protected Health Information.
- EHR – Electronic Health Records.
- HITECH Act – The Health Information Technology for Economic and Clinical Health Act, a piece of legislation created in 2009 in order to stimulate a widespread adoption of electronic health records (EHRs) by providing financial incentives.
The Perfect Scenario
In an ideal scenario, a hospital somewhere would realize that their day-to-day operations would be vastly improved by switching at least some of their IT system to the cloud. Moreover, they would realize that they could get an incentive thanks to the HITECH Act. They would consult HIPAA's guidelines and hire HIPAA-compliant IT vendors to handle their transition. The process would take some time, but thanks to the security and privacy guidelines, it would all go without a hitch.
Innumerable cases of healthcare data breaches have taught us that reality is much different when it comes to healthcare entities, cloud, and cybersecurity.
According to some people, this starts with the HIPAA and HITECH Acts which are not precise and comprehensive enough. For instance, two-factor authentication, something that should probably be a requirement, is not explicitly included in the HIPAA guidelines. In fact, the guidelines refrain from mentioning any particular security measures that need to be taken.
To quote from the guidelines:
"Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards…"
To some people, this seems like an approach that leaves too much to the expertise of people (hospital administrators and other decision-makers) who are often not too versed in cybersecurity.
It should be pointed out that the HIPAA and HITECH guidelines are not that bad. In fact, they do a rather good job of handling an issue that is extremely complex.
In addition to this, the average healthcare IT ecosystem is much more complex than something one might experience in a corporate environment. Healthcare providers and insurers have the need to exchange ePHI on a regular basis, which can involve a whole array of tools and protocols, all of which come with their own vulnerabilities.
There are also too many individuals with different levels of access to sensitive data, as well as innumerable terminals from which they access this data. All of this makes it far more difficult to ensure proper security.
When you add to this the large number of different cloud services vendors with their own vulnerabilities, it becomes quite obvious that the challenges are significant.
Not All Is Lost
The good news is that not everything is catastrophic. The HIPAA and HITECH guidelines are actually a great first step in ensuring cloud security for healthcare organizations. The cloud service vendors are actually better versed in cybersecurity than the more traditional in-house professionals who used to handle cybersecurity for individual organizations.
There have also been some important steps made in educating healthcare workers about the dangers of not taking cybersecurity seriously, especially when it comes to keeping an eye on the devices through which the HIT cloud systems can be accessed.
As the team from the Icahn School of Medicine at Mount Sinai is demonstrating so brilliantly, the future of healthcare is in the cloud. Cybersecurity that safeguards the data and everyone involved will always be of paramount importance, as will the guidelines that indicate the direction to go.
Things are definitely moving in the right direction and it is only a matter of time before we see some truly earth-shattering positive healthcare news enabled by none other than cloud computing.
Opinions expressed by DZone contributors are their own.