EHRs and Cloud ComputingHow SaaS Can Help Minimize Risks
The software-as-a-service model provides more security for EHRs than most smaller physician practices can afford to implement with a locally hosted system, says Dodgen, CEO at the consulting firm Hielix.
In an interview (transcript below) Dodgen:
- Contends that smaller practices using cloud computing for EHRs can have their patient information stored in secure data centers offering more protection than they can provide on their own servers. She also says the remotely hosted EHRs offer better back-up services.
- Laments that many practices lack knowledge about privacy and security issues.
- Points out that emerging statewide health information exchanges must use encryption, authentication and audit trails to adequately address privacy and security issues. "The HIEs we've been involved in have led with the question of privacy and security because that's a deal killer for many of the participants they are soliciting to come on board," she says.
- Predicts the Nationwide Health Information Network standards could pave the way for exchange of patient data across state lines, but only if adequate authentication -- perhaps including biometrics -- is implemented.
Since co-founding Hielix, Dodgen has focused on advising physician group practices implementing electronic health records and helping statewide health information exchanges develop their strategies.
HOWARD ANDERSON: I know you advise a lot of physician practices about how to select and implement electronic health records. What are the big challenges, especially for smaller group practices, when it comes to taking the necessary steps to keep their newly digitized information private and secure?
PATRICIA DODGEN: I think there is a learning curve and an awareness that's first and foremost. Many physicians aren't as familiar with the HIPAA requirements as they should be. One physician ... told me, "You know ever since I made Wi-Fi available in my waiting room, my patients love that," and I asked him about a firewall and he didn't know what I was talking about. In fact, his entire network was accessible through his Wi-Fi service. So we certainly rectified that, but I think there is a lack of sophistication. ... If you go back to the meaningful use rules (for federal EHR incentives), one of the requirements is to do a security review. ... That is a very straightforward and really pretty easy-to-implement approach toward a physician reassuring himself that he has, in fact, taken the appropriate steps to make sure that that information is safeguarded. And any reputable EHR vendor will explain in detail to a physician exactly how their product works and what safeguards are in place to ensure that there are no vulnerabilities. ...
Cloud Computing's RoleANDERSON: What are the most common risk mitigation strategies that smaller practices new to EHRs are implementing first?
DODGEN: I think the biggest one is looking very hard at software-as-a-service as an approach as opposed to having a server with the software in their office. When they go with the hosted solution, they are able to access a level of security that most practices, even large medical practices, can't actually afford to have in place.
Some of the vendors have software-as-a-service hosted solution options that are actually hosted in data centers that are ... acceptable for military intelligence purposes. There is such a data center in my hometown of Tampa that hosts not only an EHR product but also hosts military apps. ... That kind of security is not going to be commercially available to a small practice in a configuration other than a hosted solution.
ANDERSON: That's interesting because some folks have concerns that cloud computing can be less secure and create more risk issues. Are you saying that for a small organization going from paper to electronic records, taking the security steps can be easier by using a cloud partner?
DODGEN: Absolutely, because then they'll take care of your back-up issues. Typically a good size hosting company will have multiple locations, so the backup is a fairly automatic consideration. ... This is a big consideration in Florida; you don't have to worry about lightning strikes to your building; you'll still be able to log on via wireless VPN to your hosted site so you can get to your application even in a fairly extreme situation.
I just keep coming back to the idea that if I've had a paper-based office, the security level is so low there. ... So the security implications of paper records are far greater than going to electronic health records. ...
Health Information ExchangeANDERSON: You are advising emerging health information exchanges in several different states. What are the primary steps that they are taking to make sure information remains secure and private in transit?
DODGEN: Health information exchanges at the state level have a great regard for the requirements of privacy and security. Typically, in the states where we've been involved in developing the strategic and operational plans, a large component has been looking at the security and privacy concerns of the various stakeholders and also looking at state legislation. Because in many cases, we're found that legislative changes are necessary in order to create consistency in all the care settings that are going to participate in the HIE. I am very comfortable with the level of technology that is implemented in HIEs ... record locator services, encryption, authentication, audit trails. The HIE efforts that we've been involved in have led with the question of privacy and security because that's a deal killer for many of the participants that we try to solicit to come on board and work with the HIE.
HIE EvolutionANDERSON: How do you see health information exchanges evolving over the next couple of years, and what new issues will that raise?
DODGEN: We have a lot of conversations ... about moving to the cloud, and what is the cloud? ... I think what the cloud means is just a virtualization of data access. So clearly we're moving in that direction.
But I also think that HIEs are going to become maybe a bit more organic. We've been working in this area since 2005, and some of the early HIE efforts were more focused on, "Wouldn't it be nice to have a health information exchange?" as opposed to (meeting the specific needs of a) critical access hospital and a diagnostic radiology center and a set of physician practices that refer into that critical access hospital. There you've got a natural and organic need to exchange data on a day-in and day-out basis. When you build an HIE effort around that kind of instance, then you get something that's sustainable and intrinsically has value and you can build a sustainability model because the participants understand that if .. we can put together a business use case that says at X number of dollars per month or per transaction, this is being offset by an improvement in outcome or reduction in cost or an increased speed in the moving of the data from point A to point B. That's where true sustainability comes from. I think you'll see more and more of that.
Secondly, you're going to see a big influence of the Nationwide Health Information Network and what that means as the states begin to do the network of networks. So who gets to connect to the statewide HIE, and then, from that point, who connects to the NHIN? ... We're going to begin to see the actual availability of data across state lines and in care settings where we really haven't seen it before.
So I think ... we are within a reasonable vision of seeing a patient from California who becomes ill at an amusement park in Orlando and is non-communicative, through the NHIN, having their information accessible in an emergency care setting. That's where we really want to go.
ANDERSON: Doesn't that raise some new privacy issues?
DODGEN: I think it does. Those issues have more to do with authentication versus encryption. I think the authentication pieces are making great strides. I don't know where they will end up. I'm not an expert in biometric authentication, but certainly that is one avenue where I think we'll begin to see more and more sophistication. ...