Friday, June 24, 2011

Healthcare in the cloud

Michael Koploy has a really nice blog article where he uses the HHS breach notification data to see if there really is a security/privacy problem in Healthcare with using 'the cloud'. His analysis is that the data doesn't prove significant security/privacy problem with the cloud, and might actually say that the cloud is a good place for Healthcare.

In the space of, low hanging fruit, there are far more security/privacy problems with simple theft of highly portable devices. I suspect, and have said the same in past analysis of the HHS breach notification data, that these thefts are simple thefts for pawn purposes. I suspect that the theft has very little to do with the data and everything to do with a cool piece of technology that is worth money. A factor that is simply going to grow with the increase of use of these cool pieces of technology, like the iPad.
Unfortunately the latest security/privacy problems in the internet space (e.g. Sony, RSA, Honda, etc) where cloud services were hacked and the data (e.g. names, email addresses, birth date) were exposed. These cases get people very concerned about the 'cloud'. I think that they should be concerned, but then as Michael points out they should likely be more concerned about those cool pieces of technology that Doctors like to carry around with them.
Much of the concern is simply FUD (Fear, Uncertainty, and Doubt). People see what is happening elsewhere and multiplying that Fear by many factors because the EHR in the cloud would be far more detailed. However I don’t think they really assess just how poorly EHR protection would be in a small-doctor office that has no IT support. Far better to put the task of security in the hands of an expert. Still doesn't automatically make it safe, but that is where sharing best practices like NIST 800-146 Cloud Computing Synopsis and Recommendations

NIST 800-146 does a really good job of outlining not just the technology, but also the operational and policy issues.  They have touched on issues I had never thought of. They do a really good job of explaining responsibilities between the cloud subscriber and the cloud provider. I highly recommend that people use this guide.