Guest post by Amit Cohen, co-founder and CEO, FortyCloud.
Remote access is changing the practice of medicine – from data collected remotely from newly developed telemedicine devices, to surgery conducted by a surgeon in an offsite location. A smartphone application, currently in development, is set to monitor a user’s voice to detect mood changes for individuals with bipolar disorder. Devices and applications such as these not only improve the quality of care available to patients across the globe, their use also results in exponential growth in the sources and volumes of data. These cutting-edge technologies present new challenges for IT professionals who are responsible for ensuring high availability (always-accessible data), scalability and flexibility for their healthcare organizations.
To enable scalable, high performance from at lower costs, even from remote locations, healthcare and pharmaceutical IT have adopted the cloud. Since cloud data centers can be diversified across the globe, cloud computing provides quick access to globally diverse users.
The cloud also offers the scalability to handle the massive influx of new data generated by new health care applications expected from the implementation of the U.S. Patient Protection and Affordable Care Act (PPACA). The U.S. Department of Health and Human Services (HHS) Stage 3 Proposed Rule, is also likely to result in additional volumes of digital data. This Rule seeks to align the EHR Incentive Programs with other CMS quality reporting programs that use certified EHR technology to promote improved patient outcomes and health.
Therefore, it is not surprising that healthcare cloud computing is forecasted to grow to $9.48 billion by 2020, according a recent study; an impressive increase from the current, 2015 market value of $3.73 billion.
However, can a practitioner utilizing cloud services guarantee that their EHRs are secured? Can a patient be confident that their wearable heart monitor stats are sent over secure pathways? For the surgeon who is remotely conducting laser surgery, can they be 100 percent certain that no hacker is going to change the direction of the beam? Less dramatic but also worrisome, what measures are in place to ensure confidentiality and prevent unapproved access to billing information?
Especially since a number of individuals and organizations may be accessing this information from branch offices and from remote devices, appropriate security measures must be in place.
For healthcare organizations seeking cloud services, security issues and the willingness to enter into a Business Associate Assignment (BAA) represent a major concern. What security measures should these healthcare organizations take to ensure secure remote access to medical data in the cloud and hybrid deployments?
Key to any security solution is data encryption, both of the data at rest and the associated data workflows. However, encryption alone is not enough; IT teams need to assume physical ownership of encryption keys.
HIPAA compliance is also mandatory for healthcare organizations. According to the HIPAA Omnibus Rule, patients’ privacy must be protected, including cloud storage options. All covered entities must ensure that they create comprehensive BAAs, as business associates are also responsible for keeping PHI secure.
A third component of any healthcare security policy requires identity-based access policies. Preventing malicious access to PHI or remote medical applications requires centralized access management that allows access according to strict criteria. Therefore, personnel in the billing department would never gain access to blood sugar values sent via an app to a nurse practitioner, even though they both work for the same organization. The implementation of two-factor authorization (usually a password and another factor such as biometric input) also assures that even if a healthcare worker’s laptop is stolen onsite or offsite, the thief would be unable to use the laptop to access the organization’s data.
While technological advances in remote medical care and devices are a major advancement for both patients and healthcare providers, appropriate security measures must be taken to ensure the success of these developments.