Securing Medical Information, Electronic Medical Records (EMRs) and Databases in the Cloud

Full text

(1)

By: Connie Bergquist, Matthew Brewer, Debi Harding, James Konderla, Elizabeth Nguyen, Nathlay Phothirath, David Tribble

BCIS 4690/5700 – TEAM 2

Securing Medical Information, Electronic

Medical Records (EMRs) and Databases in

(2)

Introduction

Cloud computing is growing in popularity in the IT environment. The medical field is also increasing its use of the cloud method for storing sensitive medical and personal information related to patients. In response to the new technology methods of storing information, a highly secure way to store this sensitive information is needed. We are looking into the best practices and methods to not only store this information securely, but to also transmit this information through a secure environment without the possibility of capture by unintended parties.

Key Issues

With information and applications being migrated toward a cloud format, security of the information on the cloud is becoming more and more of an issue. With increasing regulation from the Health Insurance Portability and Accountability Act of 1996 and the Patient Safety and Quality Improvement Act of 2005, it is important to have a set of guidelines and proof that these guidelines are being adhered to for auditing purposes. It is important that these guidelines can be followed to prove that they are being followed with confidentiality, integrity, availability,

authentication, and regulatory auditing.

Models and Frameworks

There are many Models and Frameworks in all areas of IT that can assist Healthcare providers as they journey down the path of implementing Electronic Medical Systems into their existing enterprise. The problem, though, with the number of models and frameworks, is that no one framework or model covers all areas and, due to the unique nature of the healthcare industry,

(3)

do not provide an “all-in-one” solution. Each does, however, bring particular strengths and outline best practices in certain areas of IT. Below we will focus on several frameworks and models in particular. In addition, we will also demonstrate best practices and define some of the key issues, as well demonstrate the redefinition of cloud-based platforms in their application to the healthcare industry.

The Healthcare Business Model

All areas of health care are required to keep legal healthcare records. This is defined as “the documentation of healthcare services provided to an individual during any aspect of healthcare delivery in any type of healthcare organization” (AHIMA, 2010). Traditionally healthcare facilities have kept patient records in paper files stored on site which, while a convenient method for physicians, posed a great risk to the privacy of patients: paper records made transferring information from one physician to another more complicated. Many health care facilities are moving now to electronic healthcare records (EHRs). EHRs not only allows patient information to transfer easier without loss of data while also allowing patients to better access their own records.

The American Recovery and Reinvestment Act (ARRA) that went into effect in 2009 was created to encourage healthcare organizations to adopt EHRs through financial incentive. This act focuses on several factors such as patient safety, best practices, return on investment, and ease of end-user adoption. Even so, the transition from paper records to EHRs is not a quick one, leading many organizations to use a combination of paper and electronic records during this transition. Some factors that are keeping healthcare providers using these hybrid records include funding barriers, competing technical priorities, strained human resources, and lack of industry education. The need for organizations to push past these factors into complete adoption of EHRs

(4)

should be a top priority as the use of hybrid records increases the risk to patient safety through transcription errors between the types of records. The use of EHRs is becoming the norm in healthcare organizations and, though the transition may be slow, it is one that will undoubtedly continue.

Security Frameworks and Best Practices

ISACA IT Assurance Framework

ISACA is a leader in IT governance, security, and control. They develop international information systems auditing and control standards(3). The IT

Assurance Framework gives guidance for IT audit and assurance documentation, defines concepts and terms for IT assurance, and establishes the IT audit and assurance standards that are important for regulation and control of information contained in Cloud Computing. These standards will hold each firm to a minimum level of security to assure that information cannot be easily obtained by unintended parties.

HITRUST Common Security Framework

The HITRUST Common Security Framework is a set of controls relating to the storage and use of electronic personal health and financial information. This framework was developed as a means to have consistent and thorough securing of information in the healthcare industry. The framework has “13 security control categories comprised of 42 control objectives and 135 control specifications.” Each of these objectives(4) can be met on the basic level. Or, they can be

(5)

increased to one of the two higher levels. There are also alternative controls when and where it is not possible to meet the Framework protocols.

Cloud Computing and Best Practices

Internal Audit’s Role in IT Services to the Cloud

Internal Audit’s role in businesses utilizing cloud computing is vital not only in the initial decision making process but throughout the lifecycle of company initiates. Based on the

information gathered by the internal auditor, decisions about what is completed in-house verses outsourced to the cloud are determined by managers. There are four areas where internal audit assists in gathering performance and legal information in regards to IT, which will affect your businesses transition to cloud computing.

Due Diligence – Initial Auditing assessments in this area not only outline

requirements but determine which vendors a company should enter into contract with. Internal Auditing must also determine which legal, regulatory, and contractual

requirements a company must follow to meet federal compliance.

Risk Assessment – Auditing assessments must also analyze the risk involved with any areas, including cloud implementation and present alternatives that provide both additional options and added flexibility to the company.

Business Strategy Compliance – The Auditing assesments must next analyze business strategy compliance, including current performance and security standards, compliance and penalties, subcontracting relationships and NDA’s while also determining how the business will meet these agreements.

Current Relationship Assessment – In this area, auditors must also analyze current relationships with vendors and service providers. Auditors must determine whether

(6)

these relationships have been properly maintained and whether or not they should continue into the future. The auditors must also analyze the effectiveness of these relationships to determine if vendors and service providers have completed tasks efficiently, within budget, and whether this efficiency has improved over time.

Defining the Private Cloud in Healthcare

In order to define the Private Cloud in any industry we first must look at the definition of “the cloud” which, in its most basic form, is defined as internet-based computing in which large groups of remote servers are networked to allow sharing of data-processed tasks, centralized data storage, and services or resources (1). According to an article from ServerWatch(2), the definition

itself alludes to the fact that the cloud now has “layers”. This new layered approach to the internet’s architecture has produced companies that can supply these levels of the Cloud into packages that enable many industries, including Healthcare, to make better use of time, resources, and, more importantly, to cut costs where needed. The common layers can be seen defined in the info graphic below:

(7)

As you can see, each layer provides a level of interest for healthcare providers in

providing business continuity solutions through a mixture of on and off-site services. The Off-Site nature of cloud services provides unique challenges and problems for the Healthcare industry and its providers, the main concerns consisting of:

• Always-On Requirements: Data and applications must be available 100% of the time without interruption or data loss

• Security: Due to many laws, including HIPAA, all patient and healthcare data MUST be kept secure as well as available to the patient and providers when needed.

• Scalability: Healthcare systems must be able to house current patients while also being scalable and elastic enough to grow as new patients and new needs become available.

• Ownership and location: Who owns, as well as manages, the platform itself? How do current client machines connect to data and applications?

(8)

These concerns actually provide a best-case scenario for Healthcare providers: Private Cloud computing. The private cloud must meet all of the above requirements, while also cutting cost, providing CIOs control over the applications, data, and even the hardware itself as needed. Therefore, a very reasonable solution that provides the best of both worlds has become to provide on-site access to the data, such as through on-site primary servers to provide the speed and availability required of these systems while also utilizing off-site solutions for the needed software, platforms, backups, and even hardware needs of the business.

Plan of Action

As you can see from the previous sections, there are many different frameworks with strengths and weaknesses in different areas of IT. The unique structure of the Healthcare IT world, however, means that a Healthcare provider cannot depend solely on one framework or methodology and must “pick and choose” portions of each while also meeting federal regulations and patient requirements. In order to do this, we would like to outline our Plan of action towards securing Patient and Medical information in the cloud through the following sections.

Gain Support of Top Management

Comparison of Costs and Benefits

CIO’s need to assess costs and benefits of implementation and the different

measurements retrieved from each associated area in regards to technology. Legal compliance assessment should be supplied by internal audit, IT should provide the cost and benefits of in-house services, and all other departments should list their needs and areas the company may benefit to invest in to assist in this process and complete the overall assessment of whether cloud computing is an acceptable environment for any particular business. The company may also need

(9)

to consider outsourcing based on cost savings and what the company’s core competencies are. The state of the businesses current systems, the levels of risk and security, and the ability to migrate is also a determining factor in the cost/benefit analysis. The last major factor any business must assess is their core competencies of the business and the ability of the business to manage IT infrastructure will determine the outsourced cloud implementations the business may consider.

Equipment and Policy Training

Cloud computing infrastructure as a service is an area where equipment and policy training for cloud computing will need a lot of guidance before enlisting upper management will support. Governance, procedures and policy of equipment and IT structure must be clearly defined so that managers can determines the benefit offered by IT services to the company. Considerations must also be made for the differences in traditional and cloud computing environments, as well as the Bring-Your-Own-Device movement and the risks and benefits involved. No matter the company, Training and change management is crucial when implementing any new system into an organization.

Short and Long Term Planning

When planning implementation of Cloud computing services a business must consider both long and short term goals. Implementing cloud computing services is based off the decision to outsource certain services to reduce cost and focus on core competencies. Data centers, servers, operating systems, and applications are areas where systems can be converted to the cloud. There are constantly short term goals that must be achieved throughout implementation but the initial costs may be large in the short-term. Many short term projects within the

organizations such as marketing initiative and reducing overhead costs will add to benefits

(10)

gained by the cloud but management must be kept appraised of efforts so that long and short term goals can remain aligned. Cloud computing projects can be very successful and provide an avenue to profit before the competitive advantage becomes the standard but companies and IT managers must also keep in mind the immediate needs of the company in their short term

planning. The CIO should create a portfolio of the immediate benefits of implementation and the long term benefits of implementing the chosen cloud services.

Implementation of Cloud Computing in Healthcare

Data Protection

Patient information must always be confidential and be protected at all times but whether or not cloud computing can cover this requirement is a question all healthcare organizations should ask. To answer this question, cloud computing can vary on levels of protection,

depending on the choice of how it is set up. Due to the exposed and uncontrolled access of public clouds, there is little doubt that this method would not suit healthcare needs. On the other hand, private clouds may provide somewhat more data protection than public clouds. “They’re hosted inside an organization (or in a dedicated managed environment hosted by an Infrastructure as a service (IaaS) provider), allowing the organization dedicated control of servers, storage, and software at all times. Since private clouds are safer and more confidential than public ones, however, professional practices would be more likely to invest in this type instead.

Fortunately, though, new solutions allow more protection and control of the public cloud that healthcare organizations are welcomed to use. Despite recent developments, professionals responsible for sensitive data should be warned of the risks of cloud computing. Industries such as healthcare that use cloud are increasingly becoming targets for hackers and therefore are

(11)

strongly advised to evaluate their own requirements before deciding on cloud computing platforms.

Keeping Up With Regulatory Forces

Technological development is moving faster than ever and, as such, its regulations must stay in lock step with it. According to Joy Pritts, chief privacy officer in the Office of the National Coordinator for Health IT, there are reports that HIPAA will be modified to boost data protection for patients. Pritts believes that cloud computing in healthcare is “inevitable” and that smaller healthcare companies are resorting to cloud “to host electronic health records and help reduce start-up costs” (5). Changes entails HIPAA will directly regulate cloud services from here

on out. “The pending HIPAA modifications clarify that all business associates with access to patient data must comply with the privacy and security rules” (5).

Mobile Device Security and Policies

These days, it is normal for employees to follow the concept of BYOD (“bring your own device”) at their place of work. It is fast, convenient, portable, and makes information even more accessible. However, there are concerns about the amount of security over mobile devices, especially in the case of sensitive patient data; HIPAA policies try to address these as well as other issues. Bill Kleyman of HealthITSecurity.com brings up some issues in his online article such as data-loss prevention, device interrogation, cloud-ready device controls, geo-location services, monitoring and reporting, and SDK-ready application security to describe how mobile security deals with them.

Customer Relationship Management

No matter how great a product is, it does not matter unless we satisfy our customer. Our product should be easy to use and our clients should be confident when they are in the system

(12)

itself. In order for this to happen, we must build a good relationship with them. When our clients are storing medical data into the cloud, we want them to know that every single record is safe and secure. If we can build confidence in our customers through our products, it will better our reputation and allow us to keep our current customers and gain more.

We have to remember that our customers are also our business partners. We cannot just simply sell them the product and move on; we have to instruct them on how it works and be there for them in case they have questions, concerns, or problems with the system. With such important information being stored in the cloud, everyone has to know their duties, as well as what information they can and cannot access. The main thing we want to have is good feedback from our business partners, uphold a good reputation with our current and potential clients, and keep our customers with us.

Performance Management

An investment in the transition to EHRs is very time consuming and costly. Therefore, it is important for an organization to continually make sure the system is working effectively and efficiently. Switching from paper to electronic records can pose a great risk to patient privacy so it is always a good idea to conduct regular risk assessments. The goal of these assessments should consist of making note of potentially weak areas and implementing security updates. There should be a regular review of access availability to see who is editing information. Because EHRs are available to the patient and their various physicians from any location, it is important to assess the customer satisfaction aspect of things. Physicians that are end-users of the information can give useful feedback as to what information they are looking for when checking the background on a new patient while patient feedback consists of ease of use and access, as

(13)

well as timeliness and accuracy. All of these are factors to consider when measuring the performance of an EHR system.

Creating a Competitive Advantage

By using a centralized storage medium like the cloud, data and program maintenance overhead can be greatly reduced. A single, properly secured server means that maintenance tasks only need to be performed once, and changes brought on by government regulation can be rolled out without fear of system or software compatibility issues. This also means the

opportunity for very high data security standards since the total overhead can be kept lower than multiple standalone systems. Increased data safety means more customer reassurance, which leads to more customers.

When a system is centralized and available online, geography becomes a trivial problem. A web-based information system can be useful whether the customer is in a major metropolitan area, or the information is needed by a medical service provider in a rural home. All of these factors lead to increased patient care and a reduction of errors. When everyone has the most up-to-date information available, better decision making can take place resulting in better patient care.

Critical Success Factors

In businesses that choose to implement cloud computing there are always critical success factors and ways to measure the success of an implementation. For healthcare in particular there are five critical success factors that must be kept in mind:

1. Establishing Secure Networks/Integrated Platform for Cloud Computing. 2. Regular Evaluation of Performance Methods

(14)

3. Execute a Plan that has Top management support 4. Create Efficient Cloud Computing Network 5. Create user-friendly cloud networks

The first of these success factors is the establishment of secure networks during and after the implementation of the cloud computing platform. These networks should be continuously monitored and evaluated in order to gauge their performance against ever evolving threats and federal regulations. But for any implementation, cloud or otherwise, a plan must be executed with top management support through the use of champions, or people who believe whole-heartedly in your cause. Without the support of management any project is deemed to fail and, as business professionals with IT leanings we must be ready to create efficient and timely in order to not only gain but keep management support. We must also remember, though, that the implementation is not only used by managers, but is used by employees as well: in this case doctors, nurses, office personnel and also patients who wish to access their own records. To meet not only the functional but the aesthetic needs of these users, we must create not only efficient, but user-friendly cloud networks. In creation of these networks, we must maintain the integrity, security, and ease of access to data but also include an interface that is easy to use and easy to learn. Our call to action, therefore, includes all of these critical success factors and should be for IT professionals to bridge the gap with the use of current technologies, including on and off-site equipment, while also leaving a system flexible and scalable enough for future improvements and changes.

(15)

References

(1)Rubens, Paul (2010). Private Cloud, Defined. [ONLINE] Available at:

http://www.serverwatch.com/trends/article.php/3861191/Private-Cloud-Defined.htm. [Last Accessed February 10, 2013].

(2)Ludwig, Sean (2011). Cloud 101: What the heck do IaaS, PaaS and SaaS companies do?

[ONLINE] Available at: http://venturebeat.com/2011/11/14/cloud-iaas-paas-saas/. [Last Accessed February 10, 2013].

(3) ISACA (2008). ITAF™: A Professional Practices Framework for IT Assurance—Summary

Document. [ONLINE] Available at:

http://www.isaca.org/Knowledge-Center/ITAF-IT-Assurance-Audit-/Documents/ITAF-Summary-30July08-Research.pdf. [Last Accessed February 10, 2013].

(4) "The HITRUST Common Security Framework." HITRUST. HITRUST Aliance, 2010. Web. 26 Mar. 2013. <http://www.hitrustalliance.net/HITRUST%20CSF%20Brochure.pdf>. APM Group Ltd (2012). What is ITIL?. [ONLINE] Available at:

http://www.itilofficialsite.com/AboutITIL/WhatisITIL.aspx. [Last Accessed February 10, 2013].

Schiller, Mike (2012). Auditing Cloud Computing and Outsourced Operations. [ONLINE] Available at: http://www.isaca.org/Education/Upcoming-Events/Documents/2012-NACACS-Presentations/136-nac2012.pdf. [Last Accessed February 10, 2013].

Badger, M; Grance T; Patt-Coerner, R; Voas, Jeffrey;, (2012). Cloud Computing Synopsis and Recommendations. NIST SP - 800-146. (), pp.81 pp

(16)

Brand, D., (2012). Internal Audit's Role in Cloud Computing. EDPACS: The EDP Audit, Control, and Security Newsletter. 46 (2), pp.1-10

AHIMA. (2010). “Managing the Transition from Paper to EHRs”.

Scott, C. (2012). “Risk Assessments – What’s the big deal? Your responsibilities if you adopt electronic health records”. Beckers Hospital Review.

http://www.beckershospitalreview.com/healthcare-information-technology/risk- assesments-whats-the-big-deal-your-responsiblities-if-you-adopt-electronic-healthcare-records.htm

Hirsch, Deborah (2012). Health Information Exchange Featured Article. [ONLINE] Available at:

http://www.healthtechzone.com/channels/health-information-exchange/articles/302844-healthcare-cloud-computing-becoming-more-popular-but-be.htm. [Last Accessed March 17, 2013].

(5) McGee, M. (2013). Cloud Computing: HIPAA's Role How Privacy, Security Rule Modifications Will Apply.

[ONLINE] Available at: http://www.govinfosecurity.com/cloud-computing-hipaas-role-a-5406. [Last Accessed March 17, 2013].

Kleyman, B. (2013). Healthcare endpoint device security strategies: Data control. [ONLINE] Available at:

http://healthitsecurity.com/2013/02/07/healthcare-endpoint-device-security-strategies-data-control/. [Last Accessed March 17, 2013].

Figure

Updating...

References

Updating...