Cloud Myths and Misinformation Physicians Must Consider

In last month's blog we discussed how "cloud" is ready for prime time in healthcare. That blog contained information on what cloud services are, how they work, and why they are part of most physicians' - and virtually all hospitals' - IT strategies going forward.

This month we address cloud myths and misnomers, concluding with a "cloud checklist" for practices.

1. Cloud is foolproof

Many ads, marketing materials, and salespeople make the cloud sound like it's magically foolproof, implying that going to the cloud makes all your IT troubles magically disappear. Many users don't think about the fact that cloud services contain all the IT hardware, software, and related complexity that is represented with any IT installation. In fact a cloud hosting facility contains massive servers, storage systems, and network gear. The main difference is that a properly designed cloud hosting facility has IT systems with much more computing horsepower, with systems that are designed to support thousands or even millions of users, and it is configured and managed by much more skilled technical resources.  Cloud is not automatically foolproof.

2. Cloud is risky

Many people have the opposite opinion than the one above, that cloud is risky. Cloud services can be risky, especially if they are not designed, configured, and maintained properly. And there have been many well-publicized cloud outages. In most cases if you look at the root causes of the major cloud outages, they are traceable to IT principles that were either ignored to begin with, or IT operations that were not followed over time. Properly designed and managed cloud services should be more reliable than onsite IT infrastructure.

3. Cloud is cheaper

Cloud can be cheap. In fact some cloud services are "free." But to borrow and slightly tweak a phrase from Homer’s Odyssey, “Beware of Geeks bearing gifts,” you need to watch out for hidden costs.  Many times those free cloud services come with annoying ads and pop-ups, sometimes including spyware, which is designed to track your web browsing habits. If cloud services are free, there is always a catch.  If it is incredibly cheaper than other solutions (including your on-site servers) then something is missing.  Properly designed and configured cloud services can be less expensive, depending on the circumstances, but it's a significant difference then you likely don't have the whole story.

4. Cloud is more expensive

This is obviously the opposite of the myth above, so how can some people think cloud is cheaper while others think it is more expensive? In most cases we have seen, a properly designed cloud infrastructure is less costly than a comparable on-site client/server installation, especially over time. If you are looking at a comparison of the two solutions and cloud is significantly more expensive, you are probably not looking at an apples-to-apples comparison. Cloud services typically have real-time geographic replication, which means you not only have one installation of your servers and data, but a second site that is ideally located several states away. In case of disaster in one data center, you can be up and running within minutes (or less) in the other data center. To properly compare such dual-site cloud services, you have to account for that with an onsite model.  That almost always makes cloud a more attractive option economically.

5. If your EHR is hosted in the cloud, you are HIPAA compliant

There are many cloud hosted EHR solutions out there. Whether an EHR is hosted in the cloud or onsite, HIPAA compliance (with the EHR) is more or less a given. But what is critical to understand is that of the 700+ HIPAA breaches reported by HHS since 2009, not a single one of them involved an EHR. Instead those breaches involved data that had been exported out of an EHR in the form of documents and reports, and stored locally on a server, a workstation, a laptop, or a portable USB drive. So it's not the EHR that needs the benefit of a secure cloud hosting facility, it's all the other items like files, documents, spreadsheets, images, PDFs and the like. A proper healthcare cloud solution should include all elements of a clinic's functions - both clinical and business office.

6. Cloud providers should be "HIPAA-certified."

There is no such thing as a formal “HIPAA certification,” at least not yet.  Cloud providers who claim they are HIPAA certified (as a formal and specific designation) are stating something that's incorrect, and this may indicate their ignorance of the HIPAA Security Rule in general. As the checklist below indicates, a formal HIPAA compliance program is essential, along with the cloud provider's willingness to execute a Business Associate Agreement. 

Cloud checklist for healthcare:

1. Ask questions and get comfortable and make sure you understand what your are getting … you should be able to get the same comfort level with a cloud provider as  you would with an on-site or internal IT solution. Your cloud provider should be able to explain exactly what services are being provided - but more importantly - exactly how those services are going to be delivered. If they cannot explain the services at a level that you can understand, that is a giant red flag.

2. Insist that your cloud provider provide documentation of their HIPAA compliance program, and insist that they sign a Business Associate Agreement (BAA). If they will not, or if you don't get a comfort level of their understanding of and compliance with HIPAA, do not move forward. A simple outside audit or a claim that they are “HIPAA Certified” is a giant red flag.

3. Check references. This sounds simple but is often ignored. 

4. Find out how long the cloud provider has been offering these types of services. Many cloud providers have started up in the last few years and they do not have extensive history in healthcare IT. Here is nothing inherently wrong with a startup, but you need to understand how much history a cloud provider has with healthcare.

5. Don't assume that just because your EHR is hosted you are HIPAA compliant, and all your applications are covered. You need to have a solution for all business and clinical functions, many of which happen outside of your EHR. In fact there has not been a single breach due to an EHR, whether hosted or onsite. You need to address all documents and reports, such as Word and Excel files, as well as financial systems and e-mail. Speaking of e-mail, Internet service provider (ISP) e-mail such as Gmail, Hotmail, etc., is not - nor can it be made to be - HIPAA compliant.