As I described in my last column (“Cloud Computing May Be a Simple Solution for Your EHR Needs“), there are significant advantages to implementing “cloud” technologies in health care. In general, the term “cloud computing” refers to a computer model that allows users on-demand access to an application and its data through a third-party provider using the Internet. There are several types of models available. Software as a service, which is a method of providing the electronic medical record (EMR) or electronic health record (EHR) as a service, is probably the most appealing. The advantages of this model include the following:
- Users have unlimited access to the software using any device connected to the Internet;
- The user is not chained to one stationary computer;
- Data can be shared with other systems;
- All users access the same version of the software;
- Maintenance and upgrades to newer versions are easier;
- Health care data security are improved;
- The system has its own IT support; and
- Investment in application or database management is unnecessary.
These advantages should result in significant cost savings, freeing up resources for implementation and user support. According to the results of a survey conducted by CDW Healthcare, 88 percent of health care organizations that have implemented cloud technologies have saved, on average, 20 percent of their health care costs.
—Rodney Lusk, MD
Drawbacks
There are also significant risks that each health care organization must face when transitioning to cloud-based hosting. Turning over data, security, availability and control to a third party means that your company has absolutely no control over where its data actually lives. Trust in your cloud vendor takes on a whole different meaning. Security and privacy, core issues in the health care market, have to be bulletproof.
Other critical issues include data availability, error limitations, disaster backup and rapid response times. Most vendors will have far more capabilities than the individual user. Unauthorized disclosure of information results in severe consequences to the organization and significant costs in recovering and restoring data as well as notifying affected individuals.
When considering a host provider’s stability, firmness of pricing structure and availability or uptime guarantees are critical. Your organization and vendor must have sufficient bandwidth to accommodate your needs. Nothing is worse than being dependent on software that is so slow it becomes unusable. The size of the vendor is not a good sole measurement of viability. Google and Microsoft have invested heavily in their own private health care modules and databases, but Google has recently announced it is scrapping the entire venture at the end of this year.
Contracts and Liability
I will say it again: The reality is that when you move to a cloud-based vendor, you are handing over control of your IT operations and all of your data. If you experience problems with your software or data and you have an uncooperative vendor, your entire network can be adversely affected. Your contract is your only leverage to make the vendor help you with your problem. Contracts are therefore very important, and you should not accept the “standard contract” provided by the vendor, which will likely be heavily biased in its favor. Because the cloud provider has control of the data and the application, the contract should require that the provider bear the costs of remedying a data/security breach, including notification of all affected patients.
Periodic independent audits should be conducted to ensure that safeguards are in place to prevent these breaches. Vendors that cannot, or are unwilling to, perform such audits should be avoided. Define and document the vendor’s insurance coverage, which protects you and the vendor from the costs of data loss and recovery. The insurance should be extended to patient notification and any associated expenses.
Specific parameters regarding availability or uptime of the system have to be addressed. Your EMR/EHR software is critical to your organization; minimal response times must be negotiated, and consequences for the vendor that falls short of its obligations should be clearly defined. No one ever expects or plans for a “divorce,” but if a break occurs, your termination rights must be clearly defined in your contract. Your data is your most valuable asset, and any dispute with your vendor puts your organization at significant risk. If the provider suspends or refuses to allow access to the data, you may be unable to provide service to your patients. You should reserve the right to access and retrieve data at any time as well as to receive assistance if operations must be moved to another provider. In cases in which the vendor is the sole proprietor of the software, this becomes a more serious problem that must carefully be thought through.
Before your company enters into any agreement, the contract must be reviewed by an experienced attorney or consultant who understands cloud computing. I believe that cloud technology is here to stay because of its convenience and cost savings. The liability issues will not completely resolve but should diminish as the technology matures.
Rodney Lusk, MD, is director of the Boys Town Ear, Nose and Throat Clinic and Cochlear Implant Center at Boys Town National Research Hospital in Omaha, Neb. He has been working with EMRs since 1996. He may be reached at rodney.lusk@boystown.org.