If you work in the IT department of a healthcare organization, does it really matter whether your cloud services provider is focused exclusively on healthcare or has a healthcare vertical? After all, cloud technology is cloud technology. Right? Actually not. While the hardware (and even some of the core management software) may be more or less the same, that’s where the similarities end. Working with healthcare data, especially patient health information (PHI), requires a very specific, ever-evolving knowledge set.
Stolen PHI Is Growing
Cyber theft of PHI increased 40 percent between 2009 and 2013, according to a survey by the Ponemon Institute. Why the sudden upsurge? It’s simple: many healthcare organizations are easy targets. They often lag behind retail and financial organizations in creating hardened, multi-layered approaches to security. In fact, many healthcare organizations are behind in upgrading security systems.
With budgets tighter than ever as the healthcare industry transforms from a fee-for-service to pay-for-performance orientation, money is limited. If the decision comes down to upgrading a firewall or purchasing a new MRI machine, the MRI machine wins nearly every time.The issue is further exacerbated by lack of internal resources as healthcare IT departments are focused on implementing, upgrading or maintaining their electronic health records (EHR) system, attesting to Meaningful Use and converting to ICD-10 codes. A lack of budget coupled with a lack of internal resources makes it extremely difficult to keep up with the cyber criminals—especially when the criminals are focused 24/7 on breaching the walls.
In Healthcare, Industry Focus Matters
With healthcare data, a cloud services provider not only has to know the technical side, they also need in-depth industry knowledge. A cloud provider that is 100% healthcare focused will have employees extensively trained in HIPAA policies and procedures on a continuing basis. They must keep up to date with changing regulations from The Joint Commission, Centers for Medicare and Medicaid Services, individual states and other regulatory bodies regarding how data is to be managed. A mistake with any one of them can be costly.
For example, the laws in some states (such as California, Texas and several in the Northeast) are stricter than federal Health Insurance Portability and Accountability Act (HIPAA) standards, and may require shorter notification periods for unauthorized disclosure of protected health information. Healthcare data breaches also result in substantial fines. Recent examples can be read here and here. Clearly, there is a difference between merely “offering” healthcare cloud services and being immersed in them. Not understanding that difference can hurt your effectiveness in delivering care, your reputation, and your bottom line.
Matt Ferrari is CTO of ClearDATA.