Nephi Walton, a biomedical informaticist at the Washington University School of Medicine, believes that though security concerns about the cloud are valid, organizations should take a broader look at their security management to see how secure they really are.
Also, security depends on how well health organizations work together with companies providing IT solutions. “You really have to build a relationship with that company and understand their framework,” Children’s National Medical Center IT security director Chad Wilson said during the panel discussion, adding that the devil is in the details of contracting.
That does not mean storing personal health information or personally-identifiable information in the cloud is (becoming) a simple matter. For example, according to Beaufort Memorial CIO Ed Ricks there’s no such thing as a HIPAA-compliant solution. “I always pause when a vendor says they are HIPAA compliant,” added Anahi Santiago, CISO of Christiana Care Health System. HIPAA is based on risk management, and risk management requires constant reevaluation of vendors and policies.
Experience with cloud
All four above quoted panel members already have experience with applications and data in the cloud. Walton said that many people in healthcare are inhibited by security concerns but don’t even realize how much data they actually have in the cloud already. Perhaps, he says, it is time to understand how well cloud suppliers like Amazon, Google and Microsoft are defending their cloud platforms, simply because they are targeted by cyber criminals all the time. “You‘re hard pressed to match the same security as one of these companies.”
Kristin Chu, director of information services at the University of California at San Francisco Medical Center said that ultimately providers’ responsibility is not all that much different than protecting data anywhere they store it — but recommended moving cautiously. “We did it very slowly and vetted it. It was successful over the course of months,” Cloud is key to our future.” Chu believes hospitals just have to get started with cloud applicaties and persevere in the process.
HIMSS17 runs from Feb. 19-23, 2017 at the Orange County Convention Center.