"Being in the cloud means you may have other companies using that same platform, because you're sharing a server," says Randy Rupp, security and compliance analyst with ICS Medtech. "If one of those companies is not secure, and the provider doesn't hold everyone to a standard, then you're exposed."
Practices now host far more than electronic health records (EHRs) in the cloud. Other data include records backups, email, Microsoft Office 365, data analytics, and -- more recently -- VDI systems (virtual desktop infrastructure).
A VDI device connects to a monitor, turning it into a virtual computer by hosting the operating system, software and files in the cloud. "So you don't have to invest in the software or physical hardware of a computer, like a tower or hard drive," Rupp says.
"The VDI is more secure for the client as long as the person hosting it is doing their job," says Curtis Woods with Integrated Solutions. The same holds for anything hosted in the cloud, though vulnerabilities still exist.
"There have been a few cloud-based EMRs that have had a breach," Rupp says. He knows of seven clients who got infected with ransomware because they were all hosted in the same data center. "They're still triaging it."
"You could be at risk with a cloud EMR," Woods says. "But good companies do not allow access to the servers." Configured properly, only the application opens in the cloud, so when other files outside of that application open on the user's computer -- such as ransomware -- they have no avenue into the EMR's server.
"The risk is always there, though," Woods says. "Nothing is flawless." Closely vetting cloud providers, however, serves as a strong deterrent.
The cloud provider should spell out everything in understandable terminology in the contract. "How will this keep me secure and how are you going to prove it?" Rupp says. "Get a third-party advisor to look at it if you don't have the tech knowledge."
Ensure the contract spells out details, such as the exact location of their servers. "You want to be in a Tier 2 data center where you have multiple internet paths, multiple grids, and a generator backup," Woods says. "Because if they're down, you're down."
Because cloud-based EHRs should be a closed environment -- unreachable by other softwares on the client's system -- "they should only be opening their system to do upgrades and then it's closed again," Wood says.
That procedure, however, can open them to attack. Three years ago, Target introduced a security flaw in their systems during an upgrade. In that breach, they lost 40 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information.
"It's important for clients to understand how their EMR company reports breaches back to their customers and how long that takes," Woods says. Some states, like California, have laws requiring companies to report breaches almost immediately. "Most don't, though. It has to be reported, obviously, but you might find out about it 30 days later after they've done an investigation, which could mean HIPAA fines for the client," Woods says.
When using the cloud, "you are just as liable as the company that got breached," Rupp says. "It may not seem fair, but the due diligence is not just on the provider of the service but on you. Because you're supposed to do checks before you go into an agreement like that."
Rupp knows of one practice using a cloud-based EMR that got attacked by ransomware. And then got breached again. "They had backups but they didn't know those backups were infected. Six months later, they got hit by the ransomware again," he says. The EMR provider did not have adequate safeguards in place. It cost thousands to replace the server and reload the data.
"Never put all your eggs in one basket," Rupp says. "If you're using the cloud, back up your data to local storage." Local storage means immediate access to the data, as long as the practice has a server on-hand that can run that data. "If the EMR uses a name-brand server with a proprietary database, you may need that exact kind of server handy to use your backup."
Practices can also enlist a business continuity and disaster recovery provider who can back up any server. "So if any connection is lost with your EMR or data," Rupp says, including from a lost internet connection, weather disaster, or malware, "they can spin up an exact copy and have you running."
Many things in the cloud are insecure. But the typical applications, like business-level email programs, should be fairly well secure, though file sharing still remains vulnerable. EHRs, however, have come a long way. "Cloud-based EMR is getting pretty mature," Woods says. "In the early days, we'd have been having a different conversation."