Cloud-Based Patient Data Holds Allure, Risks

July 6, 2011|Hospitalist News (Archived)

Last year, when Utah Healthcare needed to create a way to move information between its two electronic medical records systems (a legacy of the hospital’s decade-old acquisition of another health care company), its IT department chose to design a Web-based bridge – a cloud-style technology. But the server hosting the bridge is the hospital’s own. In May, Utah introduced a portal allowing referring physicians to have read-only access to records on its dedicated servers, in effect approximating some of what a cloud can do, except keeping it all in house. Cloud "is still an in-vogue term," Dr. Pendleton said. "But though the majority of health care systems have Web-based elements, they still don’t capitalize on the concept in terms of the sharing and dissemination of patient information."

A few are taking the plunge anyway. This spring, the University of California San Diego Medical Center’s trauma department began using a cloud system to move radiology files, making it one of the first major hospitals in the country to switch from CDs.

The reason, said trauma surgeon Jeanne Lee, is that UC-San Diego receives referrals from trauma centers at two smaller hospitals that can take from 45 minutes to 2 hours to complete. "It’s a lot of wasted time," Dr. Lee said, which could be better used if the hospital had the radiology information before the patient arrives.

Dr. Lee said that while there had been a debate at San Diego about whether to move to a cloud model, "any system you use is liable to some sort of breach," and so far, "security hasn’t been an issue."

One Password Away

DocCom’s Dr. Bloor said that an increasing number of U.K. hospitals are using cloud-based applications, though not yet for patient records. DocCom’s own products aren’t designed to exchange patient-identifiable information but rather to coordinate teamwork within networks of National Health Service hospitals.

Still, the company aims to produce a platform capable of allowing teams to consolidate and communicate about patients, including the sharing of records – but this is probably years or even a decade before it is likely to be adopted wide scale, Dr. Bloor and Dr. Shaw concede. In the United Kingdom as in the United States, the cloud is a long way from being accepted in a hospital setting as quickly as it has been in business, they said.

One NHS hospital in London has recently begun experimenting with a cloud model for patient records that would allow both clinicians and patients to access them from Internet-connected devices. But the "records" being used are simulations, and the project has attracted some controversy – mostly over privacy and security – even before its official rollout in August.

David Sansom and Brent Hicks, codirectors of clinical IT solutions at the Cleveland Clinic, say that despite concerns about patient information on the cloud, there’s already more of it there – at least in the United States – than people realize. They point to Surescripts, one of the country’s largest e-prescription networks, which uses a Web-based system for its 220 million member records on the cloud.

The Cleveland Clinic’s innovations department is currently working on a number of inventive cloud-based technologies, Mr. Hicks and Mr. Sansom say, including some that both supply data to clinicians to aid patient care and feed clinical data back into models. Recently, Cleveland Clinic’s innovations department spun off a company called Explorys, whose cloud-based product aggregates data on 10 million patients for use in population-based studies – information that, Explorys insists, is HIPAA secure.

While Mr. Hicks and Mr. Sansom are strong advocates for using the cloud in hospital settings, neither dismisses the privacy and security concerns the technology raises.

Hospitals must have the capacity to cache months worth of data in house as a safeguard against Internet connection failures, they say, and the cloud itself can become another point of failure, as the Amazon crash showed. Meanwhile, "HIPAA requirements were never designed for cloud-based computing," Mr. Sansom said. HIPAA requires two methods of identification, which is still not secure enough. When an EMR system is run in house, Mr. Sansom said, someone has to physically come into the hospital, find an unguarded PC, and enter a password to access sensitive patient information. With the cloud, of course, it’s only a password, he points out: "And that’s the problem."