JAMIA: Cloud-based EHRs could bring 'superior' security

EHRs built with the cloud computing model can achieve acceptable privacy and security through business associate contracts with cloud providers that specify compliance requirements, performance metrics and liability sharing, according to a perspective published online July 4 in the Journal of the American Medical Informatics Association.

Cloud computing refers to subscription-based, fee-for-service utilization of computer hardware and software over the internet. The model is gaining acceptance for business IT applications because it allows capacity and functionality to increase on the fly without major investment in infrastructure, personnel or licensing fees, according to perspective author Eugene J. Schweitzer, MD, of the department of surgery, division of transplantation at the University of Maryland Medical School in Baltimore. Large IT investments can be converted to a series of smaller operating expenses.

Cloud architectures could be potentially “superior” to traditional EHR designs in terms of economy, efficiency and utility, Schweitzer poised. A central issue for EHR developers in the U.S. is that these systems are constrained by federal regulatory legislation and oversight, he wrote. These laws focus on security and privacy, which are well-recognized challenges for cloud computing systems in general.

The National Institute of Standards and Technology (NIST) definition of cloud computing lists five essential characteristics:

1. On-demand self-service. Customers can utilize or release more or less computing resources as needed and automatically without the need for human intervention by the cloud provider.
2. Broad network access. Services are provided over the network in formats that promote access by a wide variety of desktop and mobile client devices.
3. Resource pooling. The cloud provider pools its computing resources, dynamically allocating and releasing resources like storage, processing, memory, network bandwidth and virtual machines to multiple consumers.
4. Rapid elasticity. The provider's resources can be elastically scaled out or quickly released to scale in, depending on customer demand, giving the customer the appearance that resources are unlimited.
5. Measured service. The provider monitors and reports consumer usage of services.

Currently, the three most common cloud computing service models are Software-As-A-Service (SAAS), Platform-As-A-Service (PAAS) and Infrastructure-As-A-Service (IAAS). The SAAS model offers software, PAAS offers a development environment and IAAS offers processing power and disk space, all rented on a pay-per-use charge plan. Cloud developers can offer combinations of these services.

The HIPAA Security Rule contains 42 implementation specifications that are “sufficiently broad and complex to elicit the publication of multiple articles and books that attempt to explain and simplify them,” wrote Schweitzer. They include guidelines that relate to:

• security administration (conducting risk analyses and implementing policies and procedures to address vulnerabilities);
• assigning responsibility;
• screening and educating the workforce;
• limiting access to personal health information;
• developing incident response plans;
• physical safeguards (protecting and limiting access to servers, storage media and workstations); and
• technical safeguards (user identity management, encryption, activity audits, data integrity verification and transmission security).

If the third-party provider offers cloud services, rather than simple EHR hosting, then there are specific privacy and security issues that must be addressed in addition to those listed above, Schweitzer noted. Many of the cloud-specific issues relate to multi-tenancy, which refers to cloud architectural designs that allow multiple customers to share infrastructure, services and applications in order to enable the economies of scale and operational efficiency. Degrees of isolation can range from the entire data center to the physical server or to data elements (ordered from most to least isolated).

Generally, the higher the degree of isolation between different customers' assets that a cloud architecture offers, the higher the cost, according to the perspective. In the case of EHR, a high degree of isolation should be used to ensure that electronic personal health information is not commingled with that of other patients or cloud clients, since commingling complicates data security, data destruction, encryption and geo-location restrictions.

“Some of the security concerns relating to multi-tenancy for cloud-based EHRs could be ameliorated by exploiting the ‘community clouds’ design, so computing resources are only utilized by EHR systems,” Schweitzer suggested. “The cloud provider could then apply HIPAA-compliant data management and disposal techniques to all the clients in its EHR cloud community.”

Implementation of the privacy and security standards that are currently under development within the cloud community, including business associate contracts that specify auditable, enforceable performance metrics and sharing of liabilities, should allow such a system to achieve compliance with federal privacy and security regulations, Schweitzer concluded. “By enabling easy adoption of feature-rich EHR systems, modern IT architectures can facilitate the federal government's expressed goals of enhancing patients' access to their medical records, improving data exchange and reducing healthcare costs,” he wrote.