The rise of cloud computing has created a host of new challenges for patient privacy and data security, according to two Seton Hall School of Law professors. In a white paper released last month, Frank Pasquale and Tara Adams Ragone assert that government regulators need to issue new laws to specifically protect health data security as data transfer and exchange becomes more facile and ever more prevalent.
Whatever their merits in other areas of business, cloud models have come under scrutiny when used in the healthcare arena,” Pasquale and Ragone say. “Patients are rightly concerned about critical health data being lost or inappropriately accessed. On the one hand, cloud service providers may reduce those risks by deploying their unique expertise. On the other hand, the more entities access data, the more chances there are for something to go wrong. Risks along many dimensions—legal, reputational, medical, among others—need to be addressed.”
“Cloud services suffer from certain vulnerabilities,” explains the paper. “For example, cloud services are at the mercy of internet access. Prolonged internet outages, such as recently experienced during Hurricane Sandy, create real risks that healthcare providers will not be able to access critical information when it is most needed. Privacy is also a renewed concern, as breaches of massive databases, even if they are less likely to occur than scattered breaches, are far more menacing to privacy and security.”
As huge banks of health data are increasingly used for population health management, academic research, and trend spotting, the risk of breaches or inappropriate access will grow. While HIPAA provides a general framework to help reduce the likelihood of unauthorized access to data during storage, transmission, or analysis, more specific regulations should be developed, such as reinforcing the need for agreements between physicians and cloud storage companies to address who is liable for protecting the data.
“When you have the protected health information stored in a central location, hackers will want to go in, (and) will attack the treasure trove,” said Ragone. “People have to have that information protected and not out into the public.” IT companies will do their best to push liability to other organizations, adds Pasquale, and federal regulators need to enforce the responsibility of IT companies under HIPAA and take firm action against violators.
Legal standards are still evolving to address the complexities of digital health data as EHR adoption skyrockets, health information exchange flourishes, and data analytics become more integral to research and treatment. But now is the time to ensure that developing regulations will be enforced in the future, the researchers reiterate. Healthcare providers and IT service providers must be aware of the magnitude of liability when sensitive data is breached, and must understand that there will be penalties associated with inadequate security as more and more data is moved into the vulnerable cloud.