Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Is Lack of Security the Death Knell of Cloud Companies?

Posted on December 28, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In the eternal discussion of what’s more secure: cloud or in house, it was recently pointed out to me why many people now believe that a cloud company is more secure than anything you would implement in house. Here’s the reason: If a cloud company gets breached, they’re dead.

I think this is true. At least it’s true in healthcare. I don’t know many healthcare organizations that would select a cloud healthcare IT company that had just been breached. Not many. If you’re a healthcare cloud company and you get breached, your future is basically over as a company. There might be a few that could survive if they have enough money, if there are mitigating circumstances, etc, but that’s going to be pretty rare.

With this in mind, it’s easy to understand why a cloud based healthcare company is going to invest to ensure they don’t get breached. No startup founder or health IT company CEO wants to put their blood, sweat, and tears into a company that gets blown up because they didn’t address proper security and get breached.

What happens if a healthcare organization gets breached? If you’ve ever been there, it’s not a fun experience. It’s embarrassing. This is particularly true if your breach is large enough (500 or more individuals) to end up on the HHS Wall of Shame. I mean the HHS Breach Portal. Yes, there are often even fines associated with a breach as well. It’s not pretty and it’s not fun. However, most healthcare organizations that get breached continue practicing like usual. Sure, they likely make an investment in some more security, a proper risk assessment, etc, but the company still continues providing healthcare services like usual.

Fear isn’t always the best driver in life, but it can be a good one. Cloud healthcare companies have a healthy fear of being breached because their company’s future depends on it. That’s a powerful motivator to make sure you avoid breaches. I’m sorry to say that most healthcare organizations don’t have this same fear and motivation. Most of them still employ what I call the “Just Enough” approach to security and privacy. Note that it’s “Just Enough” to sleep at night as opposed to “Just Enough” to be secure. There’s a difference.

No doubt there are exceptions to the above on both sides of the aisle. Some cloud healthcare companies don’t do a good job securing their technology. Some healthcare organizations do a really excellent job securing their organizations. However, as a rule, I think it’s fair to say that most cloud healthcare companies are more secure than hosting something in house.

Our Health Privacy Paranoia

Posted on November 21, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Katherine’s recent post on using EMR data to Market to patients got a lot of really interesting discussion about how this data should be used and if it’s ok to use the EMR data for marketing. The majority of comments were quite scared of the idea of EMR data being used for marketing. Most saw that their could be benefits, but saw it as a slippery slope and we should be careful going down that path. Most wanted an opportunity to opt out from such a policy.

Mark H. Davis offered a little different view in his comment about the need for privacy in this and other healthcare situations. Here’s what Mark said:

And now for a slightly different take…

I have no issues with my hospital using its knowledge of my health situation to provide me with targeted opportunities that might be beneficial. I see it as potentially a positive and proactive outreach. They will need to be sensitive in doing this, however, but in my region, the hospital system is pretty tightly woven into the community, anyhow, and would be rather affected by any backlash. And honestly, sometimes I feel like we make an overblown fuss about health data privacy just because everybody else is making a fuss about it, without stepping back and examining the actual impacts. For example, my mailman, with only slight observation, could easily deduce the health issues my wife, children and I have been treated for. The folks behind me in line at the drug store could do the same. Even most doctor’s offices I visit do a poor job of protecting privacy within the office itself. Just last week, I had to forcibly ignore the conversation taking place in an adjacent examination room. It was easily audible. Anyone who signs in at their PCP can see who has checked in earlier, for what doctor, for what time. Anyone who signs the pharmacist waiver form at the CVS can see who has signed in front of them. The prevalence of OTC meds makes it easier to tell what your fellow shoppers’ ailments are just by looking at their shopping cart. And somehow, we still co-exist. I’m not saying we shouldn’t protect ourselves against a massive data breach that could have dire consequences in the form of identity theft and other fallout. I’m just asking everyone to be honest about how serious they really are about privacy. It’s easy to pick on a hospital system without recognizing other areas where we turn a blind eye.

Mark does a great job articulating how many healthcare situations expose our healthcare data without any major issues. Yet, people tend to get far more worked up over the potential idea of an EMR data breach.

Certainly I’m not advocating for reckless behavior when it comes to healthcare data and securing it properly. We need to make a thoughtful effort to ensure that patient data is kept secure and private. However, let’s be reasonable in our expectations about what’s possible and reasonable.