Health Information Security and the Cloud

Back in 2005, Hurricane Katrina smashed into the Gulf Coast community of Waveland, Mississippi. Among the many losses were the community’s medical files. The storm instantly wiped out more than 10,000 of Waveland Medical Center’s patient medical records.

“For the past year, we have had to rely on our memories and notecards to keep track of patient care while treating patients outside or in a tent, battling against power outages, and working without heat in the cold and without air conditioning in the summer,” said Roberta Chilimiagras, M.D., WMC’s owner, in the days after the storm.

Patients fleeing the Gulf Coast area often sought treatment elsewhere. In Houston, Melinda Amedee presented at the MD Anderson Cancer Center, saying that she had been scheduled to have a tumor removed from her kidney at a New Orleans hospital. As Time magazine reported, her case posed a serious challenge to the doctors in Houston, who had no medical records and no way of contacting her Louisiana kidney specialist.

This example – extreme as it is – highlights a critical, and often overlooked, component of the privacy and security of patient information. Health information security can be thought of as a three-legged stool—Confidentiality, Integrity, and Availability. It’s widely accepted that health information must be kept confidential. But what good is all that information if doctors and their patients can’t get to it at the critical moments? I’d argue that on a day-to-day basis, patient access to, and input on, what is in their health records is an aspect of privacy and security that deserves greater attention.

When it comes to enabling availability security, cloud-based EHR services offer some distinct advantages, including:

  • On-demand availability 24 hours a day from any location (brief maintenance breaks excepted)
  • Ability to back up data at another secure location that is geographically separate from the primary location
  • Ability to apply a uniform, high level of security, privacy controls and resources across medical practices, large and small, across multiple practice geographies. While some large, security-focused health systems might attain a high level of consistency in security across multiple entities and geographies using a client-server model, few will manage to maintain that consistency over time.
  • An integrated database platform makes data available across multiple service lines without the availability and data integrity risk inherent in cobbling together multiple information platforms.

Availability is often highly restricted in paper-based information and in the client-server software world. For entities stuck with paper, there is very limited access for those who can physically get to the records, which can get lost and misplaced. There’s also little ability to audit who has obtained access to, or altered, a record. These problems persist in many client-server software systems where patient information is siloed and walled off.

This is not to suggest that a cloud-based electronic health record system leads to an information security Nirvana.  Clinicians in the market for an EHR should do their full diligence.

The best systems—whether on a cloud (private or public), or client-server platform – observe basic information security practices. Any health care organization needs to balance relative performance on availability with the other two legs of the security stool.  Better availability of records in the aftermath of Katrina could have helped many in Waveland and other Gulf Coast communities. And it can make a difference in the day-to-day as well through improved care coordination and outcomes.

Dan Orenstein is Senior Vice-President and Chief Counsel at athenahealth, Inc.