As health systems evaluate replacing their electronic health records, they are considering cloud-based options.
“I am seeing a lot more adoption and acceptance of cloud-based EHRs,” says Nate McCarthy, associate principal at ECG Management Consultants. “If their infrastructure is coming to end of life, they are saying, ‘I’ve got to invest another and $ 50 million to refresh my infrastructure. I would rather pivot and spend a few million dollars in capital and pay a higher operating cost to have this be hosted in the cloud.’”
However, experts, such as McCarthy, caution that it’s important to plan carefully for how the health system and cloud-based EHR vendor divvy up responsibility for security and privacy and disaster recovery and uptime. Tight partnerships, ample communication and well-oiled change-management processes are vital, experts say.
And while leading systems are taking steps to address those issues before opting for a cloud-based EHR solution, others are not, particularly in dealing with security.
For example, a recent analysis from Thales, which sells digital identity and security products, and IDC found that many healthcare organizations are not prioritizing security when moving data to the cloud. Some 80 percent of 100 healthcare organizations in the 2019 Data Threat Report said they have placed sensitive data in the cloud, but only 38 percent of them are encrypting that data, and 25 percent failed data-security compliance audits. However, more than two-thirds of respondents said they plan to adopt encryption and tokenization in the future.
Another survey from Netwrix, a vendor of information security and governance products, found that inadequate resources played a role in the lack of security measures. Some 85 percent of healthcare respondents did not have an increase in their cloud security budgets in 2019, and 30 percent said they do not have financial support from management to address security adequately.
Nonetheless, 26 percent of them had at least one security incident in the cloud during the last year, the survey found.
“Security is it is no longer an option,” says James Valdez, director of private cloud services at Sungard Availability Services. “There is a lot that can be tailored to meet very stringent security requirements, and I think that appreciation of those services is rapidly rising. It hasn’t gotten the appreciation it should have for years.”
Valdez and other experts recommend that health systems have a shared responsibility model for security and uptime. For example, Valdez says, “We provide a platform and does not break any HIPAA rules and does not provide any security gaps.” The EHR vendor, in turn, makes sure that the application layer and data conform to security and privacy standards, he says.
When working with health systems, EHR vendors with cloud offerings often insist on a shared approach. In newer relationships between EHR cloud vendors and health systems, “the vendors are pushing back, I think appropriately, on the security responsibilities of the clients,” McCarthy says. He’s seen recent contracts in which the vendor wants the right to conduct “spot audits” of a provider’s security capabilities.
Shared responsibility certainly is the approach executives at UC San Diego Health and UCI Health have taken in their relationship with Epic.
The two University of California health systems share an instance of their EHR, which Epic hosts at its data center, with about 6,000 concurrent connections on weekdays. Epic also hosts the health systems’ backup capabilities at Epic’s disaster recovery operation. UC Riverside Health, which operates outpatient medical and behavioral health services, also uses the larger system’s cloud-hosted EHR through Epic’s community connect model.
“It really needs to be a tight partnership because even though the vendor is managing the systems and doing a lot of the back-end work, there is still a lot of interaction with our teams,” says John Torello, chief technology officer at UC San Diego Health.
For example, Torello has a call with Epic’s hosting team once a month to review system performance, cybersecurity and other issues. He also connects with the Epic team, as necessary, when specific problems with the EHR come up, such as users getting error messages when they login or their session freezing.
Before moving to a hosted EHR solution, the California health systems spent time on due diligence, making sure they understood both the processes and technology Epic uses to secure its environment, and ensure performance and uptime, Torello says.
Layers of Security
When it comes to a shared-responsibility model for security, Adam Greene, partner at law firm Davis Wright Tremaine suggests thinking about it in terms of administrative, technical and physical safeguards. “A lot of the physical safeguards get taken care of by the cloud provider. They maintain the servers and physically secure the environment,” Greene says. However, the health system is responsible for physical security around the workstations, he adds.
With technical safeguards, cloud providers will offer features such as encryption and audit logs, “but it falls on the provider to understand the technical safeguards and appropriately configure them,” Greene says. “For example, I have seen numerous phishing attacks where email servers with protected health information are compromised. It is only after the attack that people realize they didn’t have the most robust auditing turned on, and as result, can’t tell which emails were compromised.”
For their role in administrative safeguards, such as risk analysis and password management policies, providers need to include the cloud resources in addition to their internal resources, Greene recommends.
Overall, Greene says, “They need to make sure that they don’t treat the cloud as a plug-and-play solution.”
AdventHealth takes shared responsibility for security seriously. The health system is adopting HITRUST standards for sensitive health information developed by the HITRUST Alliance, Frisco, Texas.
AdventHealth plans to achieve HITRUST certification for its corporate campus and data center by the end of 2020 and the physician’s practices and hospitals in 2021, according to Russ Walker, chief information security officer at AdventHealth, based in Altamonte Springs, Fla., with 48 hospitals and hundreds of outpatient facilities in nine states.
One reason AdventHealth is pursuing HITRUST certification is so that it will be using the same standards as its EHR vendors. For example, its outpatient cloud-based EHR vendor, athenahealth, is already HITRUST certified. Once AdventHealth is HITRUST certified, the two organizations will “have complete alignment” on the cybersecurity controls they are using, Walker explains.
AdventHealth also is layering extra levels of controls on top of current HITRUST standards, Walker says. For example, the health system is implementing a privileged account management system from BeyondTrust. Using automated password and session management, the privileged account management system requires system and database administrators to log in via a separate secure server, or jump box, using two-factor authentication. By December, access to the underlying infrastructure, such as firewall services and intrusion detection systems, will be managed with privileged account management. For phase two, AdventHealth will require system and data administrators to go through the same process to access applications, such as the EHR from athenahealth.
Another area of partnership between health systems and cloud-based EHR vendors is ensuring uptime.
In the case of the UC San Diego Health and UCI Health, there are multiple network paths into both the production and backup environments. “We have, in fact, failed over for short periods of time—usually for things like network carrier type issues, causing performance type issues,” Torello says.
He said they have not had a natural disaster or cybersecurity incident involving the hosted EHR, but they prepare regularly for such events with testing, employee training and other forms of preparation.
McCarthy, the consultant, says even if a health system has both production and backup infrastructures off premise, such as at Epic’s two data centers, it’s important to have a local copy of the EHR as well. He recommends a minimum of one designated business continuity machine within in each hospital department or ambulatory clinic, with standard security protocols, including restricted access.
Whether addressing security and privacy or uptime and disaster recovery, developing tight partnerships with ample communication is vitally important. That’s been a key lesson learned for Novant Health, which opted to host its Epic EHR, including both production and disaster recovery infrastructures, on Virtustream’s xStreamCare, using an infrastructure-as-a-service model.
It’s a large cloud-based EHR. At peak times, there are 16,500 concurrent users logged in to the system at Novant Health’s 15 hospitals and 634 outpatient locations in North Carolina, South Carolina, Georgia and Virginia.
Novant Health kept Clarity and Caboodle, Epic’s data warehouses, on premise. “The reason we have done that is we had just made a very extensive investment in the hardware stack underneath Clarity and Caboodle, and we really wanted it to run its cycle before we did anything different with that,” explains James Kluttz, vice president and chief technology officer at Novant Health.
In preparing to roll out the cloud-based infrastructure earlier this year, Novant Health’s executives were careful to include Novant, Epic and Virtustream, a business unit of Dell Technologies, in all aspects of planning and operations. “It is absolutely a partnership between Novant Health and Virtustream, but Epic is at the table alongside of us,” Kluttz says. “From Day 1, Epic was at the table when we architected the Virtustream architecture.”
Since the system went live in February, all three partners have been involved in weekly performance-improvement meetings in which they work on optimizing electronic workflows.
But looking back on developing the relationships, Kluttz says he probably underestimated the importance of thinking through how changes that one partner makes would be communicated to the other partner now sharing responsibility for the performance of the EHR system.
“Nothing can be assumed. The smallest of changes needs to be communicated clearly and distinctly across all parties,” he says. If communication is done well, everyone understands “what all of the moving parts are,” making it easier for the partners to figure out what the cause of a performance issue might be. Early in the partnership, Kluttz explains, there were a few instances where his staff had to backtrack to figure out “Did something change here, or did something change there? Why is this reacting this way?”
In addition to clear communication channels, Kluttz says that another aspect of change management is equally important: Preparing the internal engineers for the move to the cloud. “You bring them to the table and help them understand that you are not working them out of a job,” he says.
For example, Novant Health began redesigning engineering roles three years before the move to the cloud. The revised roles now focus less on hardware and more on automation and orchestration. “We did a good job of that. There wasn’t a panic. They saw it coming. They embraced it,” Kluttz says.