Most Patient Record Storage is Like Hiding Money in a Mattress
Editor's note: This blog was written by Craig K. Collins, president and CEO of Perminova Inc., La Jolla, CA.
One weekend afternoon last fall, a burglar broke into an office and stole some computer equipment. That fairly commonplace crime resulted in one of the biggest patient health data breaches in history. Probably without knowing it, the thief snatched a computer whose hard drive contained more than 4 million unencrypted patient medical records, including names, addresses, birth dates, phone numbers, email addresses, medical record numbers, diagnoses and other information. Shortly afterward, 11 class action lawsuits were filed on behalf of those patients, seeking more than $1 billion in damages. It was a costly misadventure -- and completely avoidable.
This sort of data breach is all too common. According to the U.S. Department of Health and Human Services, 40 percent of large patient health data breaches involve lost or stolen devices. Every healthcare provider that handles and stores unencrypted patient data in a traditional client-server system may be vulnerable. They wouldn't be, if they were instead using secure private cloud systems.
A growing number of vendors (my company is one of them) instead provide web-based secure private cloud systems, where health records are automatically encrypted, and - most importantly - never reside on a local computer hard drive or server. In client-server systems, the norm throughout healthcare, data is stored on local servers usually housed in a room in a hospital or administrative center. Records are routinely downloaded and uploaded back and forth from desktop and laptop computers to local servers. And most of this data is not encrypted.
When making comparisons between client-server and secure private cloud systems, I'm not talking about public cloud systems. The difference is critical. A secure private cloud is built around a high-security private database where each client's data is protected in its own database schema. Public cloud refers to a cloud infrastructure that is available to the general public and where data may be stored in various database locations depending on availability. Public cloud should not be used for patient health data.
Many healthcare administrators like client-server because they feel safer keeping their patient data within reach. But that's like hiding money in your mattress and feeling like it's safer than the bank. You can't keep an eye on that mattress all the time, nor can health system personnel keep watch over every piece of local equipment that might contain health records. Secure private cloud is like taking money out of your mattress and putting it into a bank.
In fact, banks have been using secure private cloud and web-based systems for years, as have military contractors. If secure private cloud can be safe enough for your money and your national security, surely it can be safe enough for your patient health data.
For security reasons, I won't tell you the name of Perminova's private database or where it's located, except that it's ensconced in an anonymous warehouse at the back of a nondescript business park.
Walk in the front door, which is open 24-hours a day so clients can always access their data, and you feel like you've stumbled into black ops guarding a national security secret. A small window of bullet-proof glass fronts a uniformed attendant scrutinizing a bank of closed-circuit video screens. Cameras sweep the waiting room, whose walls are Kevlar-impregnated. A secured iron door with biometric fingerprint and face scanners leads into what's known as a man-trap. The man-trap is a small room with more cameras where the inside door won't open until the outside door is locked. Visual and verbal security checks must be passed before you're released from the man-trap. Then you pass through a hallway with more cameras and another barred door with a biometric fingerprint scanner. Inside, the data center looks like a prison with servers as inmates. The giant warehouse is filled with rows of cells; each vendor's server banks are locked in separate cells. The data center is managed around-the-clock by data security experts.
By contrast, in most client-server systems at hospitals, onsite servers and other hardware are housed in a server room, which is basically protected by a locked door, if that. Meanwhile, desktop computers sit unguarded, while laptops maybe locked in a file cabinet or taken home. Healthcare IT staffs are spread thin with many duties, such as servicing all computers and other equipment. Data security is important, but it's only one of many responsibilities for them.
With web-based systems using software-as-a-service and storing data in a secure private cloud, patient information is entered and accessed directly into the secure private cloud, not onto software that resides on desktops and laptops. When you hit "save," you're saving to the secure private database, not to your laptop or PC. So if a computer is lost or stolen, patient health information remains safe.
Cloud computing is exploding right now in many industries - including industries where security is very important. Healthcare has lagged behind, largely due to security concerns; preconceived notions about cloud computing and security abound. With each new patient data breach caused by a stolen laptop or insider snooping, it's time to consider that secure private cloud is an answer, not a threat.