Some level of consensus emerged among participants in a panel discussion entitled “Data Security in the Cloud: Leveraging Accessibility While Managing Risk,” the first panel of the day on Dec. 10 at the Health IT Summit in Houston, being held at the Royal Sonesta Houston Hotel, and sponsored by the Institute for Health Technology Transformation, or iHT2 (since December 2013, iHT2 has been a partner organization with Healthcare Informatics under the joint umbrella of the Vendome Group, LLC, HCI’s parent company).
Panel moderator Nora Belcher, who is the executive director at the Texas e-Health Alliance (Austin), led discussants through a broad range of topics. Participating with her were Theresa Meadows, M.S., R.N., senior vice president and CIO, Cook Children’s Health Care System (Fort Worth, Tex.); Ferl Howard, director of technology and information security, Trinity Mother Frances Hospitals and Clinics (Tyler, Tex.); Phil Alexander, information security officer, UMC Health System (Lubbock, Tex.); David La Brosse, strategic partner manager at the Sunnyvale, Calif.-based NetApp; and Doug Rufer, regional business manager, at the Rochester, N.Y.-based Carestream Health.
panel members (l. to r.) Meadows, Howard, Rufer, Alexander,
and La Brosse
Given the recent, troubling data breaches at organizations nationwide, Belcher asked fellow panelists what they would tell the public about the security of cloud-based computing.
“My answer,” said Howard, “is that I don’t treat the cloud any differently from how I treat any onsite solution; I require of it the same level of audit management, the same security parameters; I expect the same capabilities. It can be a secure environment, but it’s up to you to make sure that happens.”
Meadows added that “The cloud requires a very diligent education process. I would expect that, just as with a physical data facility, I could do a walk-through at any time, to test the security procedures. When you are selecting a vendor, you need to do those things physically,” she emphasized. “We do spend a lot of time educating” internal stakeholders about what they’re doing, she said. “I’m asked once a week whether we use the cloud and should use it. And I say, yes, securely. We use atheahealth, and I don’t think anyone thought of it as cloud-based, but as a web-based solution for us. So it’s an ongoing education process for our physicians, staff, and patients.”
“What are the upsides of moving to the cloud?” Belcher asked.
“One of the big advantages we see is cost,” said Alexander. “And we’re talking security, so—you have to be careful not to let cost override security. But cost is a huge benefit for us. It’s one of the top-tier benefits involved” in cloud-based computing.
“To dig a little deeper into the cost,” Howard offered, “obviously, the cloud allows you to leverage more operational capital at a time of challenges with expenses. And the advantage in going to the cloud is that you buy only what you need in terms of services and capability.”
La Brosse stated that, “Whether we’re ready or not, the young people have no hesitation about jumping into the cloud. I have four teenage boys, and they wouldn’t have any question about it.” In other words, over time, a generational shift in favor of cloud-based computing is inevitable, he said.
“And we’re in an era where people want to bring their own devices to the possible,” Belcher noted. “And even though the cloud makes that super-possible, there’s a lot of anxiety that I hear. What if there’s something bad on that device? What if a device takes over your network and you get hacked? So per BYOD, how do you handle that?”
Alexander quickly pointed out that “There are a number of apps now that are controlled by role. And users can log into the app, and there’s nothing on their device. And they can’t screen-shot or add anything to the app, so it’s a protected environment,” he noted.
Meadows added that at Cook Children’s, “We work on virtual desktops, which is great, because people can’t really mess things up. Fundamentally, though,” she said, data security success in a cloud-based environment means that “you have to create a security plan and stick to it.”
“And you need to have a policy,” Alexander emphasized, sharing an anecdotal experience that emphasized the need for well-thought-out, consistent policies across patient care organizations. “We had a nurse who was in surgery in the OR. She took her iPhone out and took a snapshot—did not take a picture of the patient’s face. But she showed a photo on Facebook. And because the accident involved, with a very bizarre injury, was so unique, the family recognized the bone sticking out right way in that Facebook photo. So you’ve got to have privacy and security policies in place,” in order to manage the full range of privacy and security incidents possible, he said.
When it comes to mobile app-facilitated care delivery, La Brosse told a story regarding a healthcare situation in his own family. “My son had Lyme disease,” he recounted. “And we called the pediatrician, and the first thing she said was to take a picture of the rash. We did that, and e-mailed it to her. In hindsight,” he said, “I wondered, where is that photo today? So you need to have some wiggle room to have a Plan B around all this. And there’s also always the possibility you might experience some amount of downtime, and you have to plan for that as well.”
And, Meadows noted, “With regard to policy development around all of this, it’s never a ‘one and done’ situation. The standards change, the policies change, the situations change. And the hardest thing is to hold people accountable to the process.”