The progression of healthcare documentation has evolved from paper to stand-alone computers, mainframe/mini computers to networked computers, and Web-based applications to cloud computing-currently the latest in health IT popularity. Each step of the progression has introduced improved functionality, decreased costs and increased risk. As with earlier technologies, cloud computing benefits from improved availability and reduced costs, but is also susceptible to increased risks of unauthorized access.
Cloud computing is an evolutionary concept that frees users from the details of how applications are deployed. As large companies and retailers such as Amazon created massive data centers sized to their maximum load, they discovered a leftover surplus of storage capacity and processing power. A market developed in which application vendors could purchase storage, connectivity and processing more efficiently than providing it from scratch. This market is “the cloud.” The components supporting any application can change and can be located anywhere.
The National Institute of Standards and Technology Computer Security Division defines cloud computing as “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”1 The cloud provides Software as a Service-known as SaaS-whereby customers such as nursing homes purchase access to applications like care planning systems. There are significant advantages to SaaS, including lower costs, no local updates, various pricing models and no on-site computer support beyond supplying workstations (desktops, tablets, smart phones) and Internet access.
Vendors offering SaaS using the cloud are eager to extol the benefits of the approach, but are less forthcoming about the possible risks. All data stored outside of a locked file cabinet is subject to unauthorized disclosure-or data breach in HIPAA terms. The position of the Centers for Medicare & Medicaid Services (CMS) is clear on who is responsible for data breaches: the facility. The HITECH Act contained in the American Recovery and Reinvestment Act extends liability to vendors as well so it is in everyone's best interest to insure security and privacy of all personal health information (PHI).
HIPAA requires healthcare facilities to conduct regular risk assessments for all PHI. Since the data is electronic, any PHI in the cloud is subject to HIPAA standards.
The risk assessment that facilities can document is limited by their access to the internal workings of the SaaS they are using. Thus, significant components of risk assessment and mitigation of risk must be deferred to the supplying vendor. The regular updating of the warranty and indemnification by all software vendors should be a part of every facility's Risk Assessment Plan. Administrators should review this regularly and have their legal counsel review all contracts with vendors supplying any health information services.
Many vendors have comprehensive HIPAA compliance programs. These are expensive, but necessary. Facilities should have evidence of the corporate HIPAA risk assessment of any vendor supplying them with services. Some questions to ask potential (or current) vendors include:
How is the data protected during transmission between the facility and the SaaS provider?
How is the data stored and secured at rest? (Some states require encryption even for data at rest in a secure facility.)
How are requests for data authenticated?
Where is the data stored? (HIPAA security instructions specify conditions for storage of PHI. Keep in mind some cloud resources are located offshore.)
Does the facility control all access to its own data?
What training do personnel with access to PHI undergo?
How is the security of passwords and systems managed?
Facilities should have clear, unambiguous and comprehensive answers to these questions in writing from all vendors to include in the facility risk assessment.
David M. Oatway, RN, MPH, is a long-term care IT consultant based in Key West, Florida. He has been the Chair of the HIMSS Post-Acute Care Special Interest Group, Vice Chair of the American Association of Nurse Assessment Coordination (AANAC), and a member of the American Health Information Management Association (AHIMA). He developed one of the first clinical MDS systems (CHAMP). He is the database manager of the STRIVE national nursing home time study which developed the RUG-IV Medicare PPS. He can be reached at
- DRAFT Cloud Computing Synopsis and Recommendations, Recommendations of the National Institute of Standards and Technology, May 2011. Available at: http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf
Long-Term Living 2011 August;60(8):50-51