Using the cloud for secure, simple medical image storage

Healthcare institutions today face a giant tug-of-war between providing adequate storage of medical images and ensuring their security. Cloud computing can help keep them ahead of the game, however.

The increasing size and complexity of medical images make their storage increasingly difficult to handle, an issue that's exacerbated by accessibility requirements from the many different providers participating in a patient's care. On the other hand, protecting sensitive patient information, such as images, is a top priority.

Regulations such as HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act have been created to help that effort, but achieving compliance is increasingly costly. Between storage and security problems, healthcare organizations find themselves strapped for time and money, and are struggling to keep up.

In a time highlighted by reduced staffing and smaller budgets, hospitals and other healthcare providers are juggling tasks such as upgrading imaging equipment every three to five years, maintaining copies of images in geographically separate locations, and facilitating a growing number of imaging procedures. On top of this, many providers are keeping medical images indefinitely. When everything is considered, the number and complexity of tasks related to medical image storage make it clear that something needs to be done to stay ahead of the future.

Challenges in sharing, disaster recovery

Coinciding with the need for storage is the need to share the stored information. The U.S. government's meaningful use rules for healthcare stimulus funding require the ability to share specific clinical information, and this capability will be expanded over time. The decentralized nature of the U.S. healthcare system has meant that primary care providers, specialists, and imaging services rarely function in the same facility. This makes sharing information about a particular patient challenging, and presents a series of security and logistical difficulties.

Typically, sharing medical images has been carried out through the transfer of physical media. Sending disks through the mail or with a patient, however, poses an obvious risk of loss or theft, and compromise a patient's privacy. In addition, the receiving provider could have a difficult time if the materials contained proprietary wrappers or were encrypted, thereby rendering even DICOM-standard files useless. Sharing images digitally via virtual private network (VPN) is one of the more common alternatives, but that still requires significant effort and expense for implementation and maintenance.

In the U.S., the healthcare industry continuously upgrades to the most state-of-the-art equipment for patient care. Because of that, it seems it would be natural for the industry to also adopt the most cutting-edge technology for health information management. Expensive equipment that creates data is worthless if the data are subsequently lost, corrupted, or unavailable for any reason.

The International 2010 Data Management Healthcheck Survey from BridgeHead Software found that healthcare IT executives listed disaster recovery as their top investment priority for 2011. While such prioritization is prudent, implementing a disaster recovery plan can place yet another burden on a tight, and sometimes shrinking, budget. Still, healthcare IT professionals see the need to recover lost data as a real concern.

Identifying the ideal approach

In dealing with the complex issues related to medical image storage, healthcare IT professionals need to understand that simply buying more digital storage space only addresses part of the problem. Only 50% of costs related to maintaining imaging data goes toward hardware and software; everything else goes toward maintaining the human resources necessary for managing onsite data and providing support. A true solution to medical image storage needs to address all these elements.

Offsite hosting services offer many of the answers to the complexities of medical image storing. Personnel costs are lowered, and facility maintenance is reduced or eliminated. In addition, data migration to new systems becomes unnecessary because new equipment is simply "mapped" to the data store when it is introduced. All that aside, the scalability offered by hosted solutions is hard to ignore. By using hosted services that have adequate storage for future needs and that inherently reduce the cost of storage per terabyte, facilities often see savings of 25% to 50% compared with the cost of onsite storage.

In addition to cost savings, security risks can be reduced and compliance made easier. Simply selecting a service that keeps a redundant copy of your files allows you to instantly alleviate certain regulatory pressures.

Importantly, the increased compliance also increases functionality. Hosted services allow image sharing between clinical staff in different locations without, in most cases, even requiring new software installation. Physical packages and VPNs are replaced by a simple Internet connection. As long as it has a secure connection, a hosted service addresses cost, compliance, and complexity in a one-stop, streamlined approach.

Assessing cloud service providers

Cloud service providers who are managing end-user data need to address a whole range of issues around security, data privacy, and ownership. We are closer to a secure future in the cloud than most people think. Health IT professionals who are considering adopting cloud services must keep security top of mind.

Today, certifications such as ISO-27001 and SAS-70 Type 2 are credentials that show how cloud providers operate. With ISO-27001, organizations are formally audited and certified as being compliant with the standard. If your cloud provider is ISO-27001-certified, you can have a level of confidence in their information security controls.

Tools such as the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire help assess cloud providers using a standard set of questions. Last October, the CSA introduced the Certificate of Cloud Security Knowledge, the industry's first user certification program designed to ensure that professionals have demonstrated awareness of security threats and best practices for securing the cloud. And, other organizations such as the National Institute of Standards and Technology (NIST) are developing standards for cloud interoperability, data portability, and security.

Depending on the data being stored, service providers may become business associates. A provider needs to know what that means and be prepared to accept that role, as well as the responsibility to provide the same or better security and privacy than a covered entity.

Regardless of which services and vendors an organization chooses, the organization is ultimately responsible for ensuring that information is secure and that sensitive information remains private. Similarly, data that reside in the cloud may still be subject to legal discovery and other requirements. These issues need to be clarified and understood by both cloud service providers and consumers of those services.

Costs are rising in all areas of the healthcare industry, but needs also are increasing. If nothing is done to rein in the costs of image storing, hospitals will, sooner or later, find themselves unable to keep up.

Using offsite storage will keep storage costs down, but will subsequently reduce costs related to compliance and personnel. All of this is important in the future of healthcare.

The right offsite data storage provider can solve multiple problems by reducing storage expenses, providing data recovery in a disaster, and making it easier to share images among clinicians.

David Finn is the health IT officer at Symantec, a data storage and security firm.

The comments and observations expressed herein do not necessarily reflect the opinions of AuntMinnie.com, nor should they be construed as an endorsement or admonishment of any particular vendor, analyst, industry consultant, or consulting group.

Page 1 of 775
Next Page