TOP NEWS
Home >> ALL ISSUES >> 2017 Issues >> With cloud computing, sorting out pros, cons

With cloud computing, sorting out pros, cons

in 2017 Issues, April 2017, ARTICLES

image_pdfCreate PDF
Dr. Carter

Dr. Carter

Her major concern is the requirements of the HIPAA Privacy Rule, in effect since 2003, and the HIPAA Security Rule, which took effect in 2005. These rules protect all health information that can be linked to a unique individual, and set administrative, physical, and technical safeguards for personal health information stored or used on any electronic media. Since 2009, the HITECH law has imposed stiff penalties for noncompliance with HIPAA, particularly where there are security breaches compromising data, and the HIPAA Omnibus Rule has required that genetic information (as defined under the Genetic Information Nondiscrimination Act) be treated as protected health information under HIPAA.

As health entities confront escalating health data security breaches, this collection of federal laws has enormous implications for data in the cloud, Dr. Carter says. She has looked at cloud servers and finds that the ones that are even somewhat secure under HIPAA are inordinately expensive. “Hospitals that say they’re using a HIPAA-compliant cloud may not realize that it’s only covering one of the three different categories of safeguards under the HIPAA final security rule.”

In addition to the security issues, putting records on the cloud also potentially eliminates the laboratory’s ability to directly integrate data within its EHR or LIS. In her experience, EHRs and LISs are proprietary and tend only to engage in HL7 real-time interfaces with other known instruments and platforms, not with the cloud.

Laboratories that turn to the cloud to save patient files generated from their next-generation sequencing instrument do acquire a lot more computing power, allowing faster processing than would be possible in-house, Dr. Carter says. “It means you’re not going to have to hire three FTEs. But I happen to know that a number of places are not using the HIPAA version of the cloud, thinking that if they remove the patient name and date of birth and apply an identifier number, but leave the sequence intact, they’re going to be okay with the law. And that’s not what I understand that the law requires.” In fact, she notes, there have been researchers who have published their ability to go back and re-identify individuals just based on their sequence.

The second issue is that people may falsely believe the cloud is secure and nobody can get to their data. “That’s not the case—not unless they have paid extra money and put in additional pieces of software to help monitor and audit who has access to the data.” She does not believe security breakdowns are inevitable, “but data breaches are doing nothing but getting worse.”

Unfortunately, people are buying into cloud services without full knowledge of these risks, in some cases preferring not to know because it will be more difficult and costly. But deciding to ignore the regulations can be considered willful neglect, from the viewpoint of the Department of Health and Human Services’ Office for Civil Rights. “Some institutions are running on the expectation they are not going to get caught. But if they do get caught, especially for breaches and willful neglect involving over 500 patients, I have seen the fines be in the $1 million or greater range.”

Laboratories that are considering cloud services should make sure they consult someone knowledgeable about the cloud and how to use it, to make sure it’s a feasible, secure, and cost-effective option, given all the safeguards needed. “You may have to hire someone and that’s going to add costs, but if you can’t hire someone, I wouldn’t do it.”

Virtual servers are somewhat different from the cloud, Dr. Carter notes. “The cloud means you are using servers in a location where you have no idea where they are and the company hosting your software may move it from one storage place to another without your knowing. With a virtual server, you typically know exactly what data center your data are sitting in. For example, Cerner has a huge data center in Kansas City where they remotely host a bunch of EMRs as well as LISs.”

In such a virtual server remotely hosted system, the risks are a lot lower because “you have more control over the systems and software, so you can ensure that all the HIPAA safeguards are built in.” With the cloud, on the other hand, she says, “The biggest issue for me is security. The vendor providing cloud services has an insane level of control over how secure it’s going to be, and sometimes you really have to dig to find out where the holes might be in how they’ve set things up.” Some cloud providers have even attempted to hold people’s data hostage as security for payment, Dr. Carter notes, but the Office for Civil Rights has been clear that no cloud provider can hold on to patient data. “They’re required to hand it back over and then securely delete whatever is left on their servers.”

In addition to those risks, many people may not realize that HIPAA requires a BAA (business associate agreement) document if there is any personal health information—even a de-identified genome sequence—on the cloud. “We’ve had NGS providers who have refused to sign a BAA because it basically makes the vendor be compliant with HIPAA and liable for theft, loss, or lack of security of the data.” But if labs are using the cloud and don’t have a BAA, they can be subject to fines by HHS. “Every year the Office for Civil Rights puts out how much money they make in fines from auditing people who are not compliant with HIPAA, and since 2003 there have been close to $50 million in fines.”

She suspects there is a lot of noncompliance and cautions that institutions have more to worry about than fines. Multiple institutions have had data go missing for large numbers of patients. “Even when no one could determine any evidence of wrongdoing, the breach notification rule under HITECH required that these institutions shell out millions of dollars per data loss to hire a public relations firm, contact patients, and offer them security monitoring for a year. And all this was without the Office for Civil Rights coming in and deciding to audit them.”

Nevertheless, the cloud continues to grow because typical NGS workflows and pipelines—algorithms that can be run in parallel to convert data—require quite a bit of computational power, Dr. Carter points out. “NGS is not the same as having a lab instrument and putting samples on it. There is a huge amount of validation that takes place. And if you decide you do not want to buy servers and have them sitting in your lab and instead want someone else to manage the servers, that’s often a reason why people—particularly at academic medical centers and large commercial laboratories—would want to use the cloud.” Cloud services are also often able to use hundreds of processors at one time, which can reduce NGS computational time, she notes.

Not every expert agrees that cloud computing represents a revolution. At one time, moving computing to local servers was considered an advance because of the unreliability of data communication, says Raymond D. Aller, MD, emeritus professor of pathology and former director of pathology informatics at the University of Southern California. And some hospitals, for many years, vowed to never take their files to the anything-goes environment of the Internet. “But now we have much faster, much more reliable, and redundant communication where there are multiple paths to get from the laboratory to a central server area, and servers may be distributed over data centers in several states, so if there’s a disaster, there is backup.”

Dr. Aller agrees that the security risks of having your server resources somewhere else are substantial. “Laboratory data needs, for medical reasons and social reasons, to be kept confidential. If a hacker got a list of all patients with HIV or sexually transmitted disease, there are many lab tests we really don’t want our neighbors to know about. Or results could be used as a substrate for blackmail, say through a threat to give data to a local newspaper and cause damage to a hospital.” In terms of the overall cloud architecture, he adds, that’s one of the biggest risks and concerns.

For laboratory workflow, Dr. Aller is skeptical of the benefits of cloud computing. “Automating workflow depends on how much you can rely on the speed and reliability of your network. If you have a robotic system running specimens throughout your lab, I suspect you’ll want a local controller for that because the timing between robots and instruments is critical; you don’t want intermittency in your response time. Maybe the central computer does the billing, but probably not workflow.”

The vaunted economies of the cloud may not materialize for the laboratory, he believes. “Vendors will say to use the cloud because you don’t have to have your own servers, which require work to buy and maintain, and to upgrade you have to buy a whole new set. But depending on how much they charge for the use of their servers, there may or may not be an economic advantage to using the cloud.”

Not long ago, he recalls, at one large data center maintained in the Midwest, which had 200 hospitals running on it, an engineer in the data center made a mistake setting up some control software. “That mistake propagated, so half of the hospitals in the network were down for several hours. So that’s a risk if you’ve got a single mass of software and databases.”

Sometimes hospitals can end up with even less functionality too. In another case he recalls, a four-hospital system serving millions of patients chose an EMR that was cloud based over another vendor’s product because the health care facility would not have to maintain its own servers and databases. But when the hospital wanted to add a test or a couple of elements to a patient report, it had to go through a central administration at a remote location. “What this hospital system ended up with was basically rigid control from thousands of miles away, and they did not have the flexibility to serve their own patients.”

Centralizing all of a hospital’s resources with a megadata center also carries risk, he notes, pointing to a recent instance of Amazon’s servers being down for several hours. In such a case, he says, you just have a larger single point of failure, and that’s contrary to the ideal of the Internet, which is to distribute risk. “If you have a single point of failure, it doesn’t matter if it’s in your own data center or back in Minneapolis, if you are connected to resources that aren’t helping.”

Next-generation sequencing may or may not thrive from storage in the cloud. “NGS and other kinds of genetic tools do have petabytes of data. It’s more challenging to push that data across the Internet, which has only a certain bandwidth, so it may not be the ideal approach. On the other hand, on the cloud it may be cheaper to buy that storage and there may be providers that will provide you the computers to crunch that data. When you have a map of genetic data, you need a place to put it, a way of crunching it, and a way to display it. You need specialized software, and if you’re Memorial Sloan Kettering, you can do it all in your lab. But for others, bringing all that ‘capacity to crunch’ down in to a local lab may be less practical than it used to be.”

Still, in Dr. Aller’s view, some companies may be overpromising when it comes to cloud computing. “Somehow cloud computing was going to be the solution to all bugs, capacity, and software problems.” But that’s not true, and, he adds, risks such as ransomware (where hackers encrypt a company’s data and promise the decryption code only if a ransom is paid) have been on the increase. “A few years ago, hospitals said we’re not going to connect our hospital network to the Internet, but you can’t get away with that now; you have to connect your systems to the Internet. And when you do that, there are people in various countries who have found a way to lock up your files and demand a ransom for you to have access again.”

Dr. Tuthill, for his part, doesn’t believe the cloud increases hospitals’ exposure to ransomware. He sees room for debate about the kind of security risks that cloud services can open up. “I think most of these organizations that have had their data taken and held for ransom have had lax security practices, and because their data is local, it’s much easier for them to ransom a hospital. It would be much more difficult to do with a cloud service that was using best practices in a large industrial setting.” However, he adds, the arguments about cloud computing cut both ways. “You could probably have an hour-long conversation over a glass of wine and still come out of it saying, ‘Well, I’m not sure.’” So debate continues, but hospitals’ use of cloud services is probably here to stay.n
[hr]

Anne Paxton is a writer and attorney in Seattle.

Pages: 1 2

Tagged with:

CAP TODAY
X