(July 3, 2014): The growing trend of storing all kinds of data in the cloud comes with benefits and risks. However, when it comes to storing medical records in to the cloud, patient privacy becomes a special concern. With a properly implemented cloud storage system, hospitals can share information far more efficiently. Prescriptions and test results are immediately available between hospital departments and floors that previously had ineffective communication networks. This way, tasks can be processed more quickly and performance and overall patient health are improved. Another benefit of storing medical records in the cloud is that doctors are not tied to their offices to look up patient information, as they can pull up medical records remotely. Also, when a patient moves to a new doctor, their files can be transferred with far less hassle. Finally, cloud computing has proven cost-effective for patients and healthcare providers, as the patients do not have to pay twice for the same test when they go to different doctors and medical offices.
I. Risks Encountered When Relying on Cloud Storage of Medical Records:
While storing medical records digitally on the cloud may offer great promise for increasing the efficiency of the health care system, the cloud is not necessarily as secure as other forms of storage. Data security and privacy of health information are major obstacles. If a medical provider loses control of patient data, privacy could be endangered. The basic rules for how the American medical industry handles private data are in the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Many argue however that just because something is HIPAA and HITECH compliant does not necessarily mean it is secure.
The headline for a year-long Washington Post examination released in December 2012 called the health care sector “vulnerable to hackers.” A computer scientist and technical director of the Information Security Institute at Johns Hopkins University, was quoted as saying, “I have never seen an industry with more gaping security holes.” In 2012, Eastern European hackers broke into Utah’s state health records database, gaining access to personal information on 780,000 patients including some 280,000 social security numbers.
- Human Error
Like so many other problems, medical privacy in the cloud often comes down to human error. Encrypted data is only safe if the required passwords are well protected, and that requires well-trained and conscientious employees. There have been several instances where employees maliciously stole data before leaving a company or absent-mindedly put data at risk by storing files on mobile devices that become lost or stolen. A couple of years ago, a contractor for a University hospital lost a laptop with medical records of more than 34,000 patients. Last fall, a stolen unencrypted laptop from a California hospital exposed medical records of 250,000 patients.
Physicians and their staff are not the only ones who could be at fault. Employees of other companies using the same cloud service could also make a mistake, cause a data breach, or even intentionally steal or sell information stored on the cloud. A virus or other malicious program could potentially spread from one client's office to the cloud server, and from there to other offices.
Finally, if a medical provider closes his practice, medical records stored on the cloud could be lost or at risk. If the provider does not keep a local backup, vital information may be compromised.
II. Final Remarks:
It is critically important for health care providers choosing to store medical records in the cloud to implement policies and training requirements to protect the privacy of patients. Providers should go beyond the requirements of HIPAA and HITECH to ensure adequate measures are taken to avoid being hacked, to prevent and fix human errors, and to keep up with technological advancements and threats.
Robert W. Liles, Esq., serves as Managing Partner at Liles Parker, Attorneys & Counselors at Law. Liles Parker attorneys represent health care providers around the country in connection with both regulatory and transactional legal projects. For a free consultation, call Robert at: 1 (800) 475-1906.