EMR Security in the Cloud

I recently had the opportunity to review an article by Michael Koploy of Software Advice titled “HHS Data Tells the True Story of HIPAA Violations in the Cloud“.  While the article has great data about the historical breaches, I think it’s fair to say that not enough time has passed for us to know the real implication of companies moving EMRs into the cloud.  HIPAA violations in an IT-centric environment like cloud or software-as-a-service providers are harder to detect, and the general awareness of rules around HIPAA violations are lower than that in the hospitals.  In fact, that’s one of the basic problems with people deciding to move their data into the “cloud;” it requires a lot of blind trust. Also, it’s important to keep in mind that a lot of physical theft reported by hospitals has nothing to do with someone actively seeking to steal PHI, and everything to do with someone losing a box of medical records in the warehouse or making their laptop easy for a thief to steal.  Comparing this to electronic hacking of EMR is simply like comparing apples and oranges, unless you can prove that all instances of physical theft were motivated by someone looking for the medical records.  On the whole, I would suggest that we simply don’t have enough information to make a risk determination for storing EMR in the cloud or whether it’s a good idea.  All we have is the “Wall of Shame” from HHS  and the data that can be interpreted in many ways and support a variety of conclusions.  For example, since 12/15/09, there have been 292 total reported incidents, of which 58 involved a breach caused by a Business Associate (BA).  Also, the statistics showed that 50% of incidents reported by BAs involved a physical theft or loss of data, closely followed by “Unauthorized Access / Disclosure” category at 43%.   This means that approximately 20% of all breaches involved a third-party, and in reality the statistics for breaches caused by BAs are not much different than healthcare providers.  Applying an unfair twist to this statistic I could argue that a decision to not move data into the cloud would reduce chances of a breach by 20%, which would not be any less accurate than stating that the cloud will reduce the number of reported breaches.  The truth is that there is simply not enough historical data, and companies need to exercise great due-diligence when they decide to trust a third-party with sensitive data.