Can cloud-based archiving cure your security headaches?

2017 03 21 13 52 55 363 Marshall Ed 400

Longstanding U.S. healthcare regulations have enforced the security of data from reasonably anticipated threats, but new -- even stricter -- guidelines related to data access and backup aim to create additional layers of security and integrity. Together, these requirements protect patient information and improve data accessibility, but the majority of departmental PACS archiving or disaster recovery (DR) systems fail to fully support these initiatives.

A new report from Risk Based Security states there were 4,149 total breaches reported in 2016 that exposed more than 4.2 billion records, and the medical sector accounted for 9.2% of reported breaches. As imaging volume continues to increase, so do concerns about issues such as data security, disaster recovery planning, business continuity when PACS networks go down, time invested in security administration, and friction generating referrals and expanding networks.

Ed Marshall from Ambra Health.Ed Marshall from Ambra Health.

Solutions like cloud-based vendor-neutral archives (VNAs) could go a long way toward curing security headaches at many healthcare institutions. If implemented properly, cloud-based VNAs can help hospitals ensure that their information is stored and managed by experts with cutting-edge tools for data security, access, and management.

The move to enhance security

There is an inherent risk to storing a growing volume of patient studies onsite, in terms of risk of loss alone, particularly as the U.S. Food and Drug Administration (FDA) further implements imaging storage standards. The recent report from Risk Based Security found that hacking continued to dominate as the leading type of security breach.

Imaging archives managed onsite are more susceptible to breaches instigated by hackers as hacking techniques become more sophisticated and IT resources are stretched thin. Other ongoing issues outlined by the report were data breaches from improperly configured databases and other inadvertent web-based disclosures, which exposed more than 253 million records in 2016. This type of breach is also more common when imaging archives are stored onsite or managed by in-house teams in hosted environments, as these teams often don't have the resources or budgetary support to ensure that sufficiently modern data security precautions are maintained.

In addition, in today's world where you're probably acquiring new organizations to grow your network, you're adding to the risk of data loss when images live in multiple, different systems, and you can't get to a single source of truth for imaging. As the focus in healthcare has shifted from fee-for-service to value-based and collaborative care, the security model needs to change as well.

The ultimate goal is to strike a balance between risk mitigation and utility. Why is this important? If information is too hard to share, users may seek out highly risky ways to manage image transfer, like taking photos of imaging with their mobile phone and sharing over text, which opens organizations up to potentially costly data loss and legal risks.

When to go cloud, not if

With customers in every healthcare segment, including hospitals, private practices, and clinical trials, cloud vendors are responsible for digital imaging solutions that affect the lives of millions of patients. A solution like a cloud VNA, with its own archive warehouse, stringent encryption across the "wire," and continuous monitoring against attacks from hackers, ensures maximum security of patient data.

And when it comes to the threat of potentially misconfigured databases, one of the most secure methods of storing patient data in the cloud is split-merge technology. This technology anonymizes image studies by removing protected health information from the imaging data. The protected health information is then separately encrypted and stored, creating an Internet-safe image study.

Data security in the cloud has historically been a major concern across industries, and the healthcare industry is no exception. How can you trust your vendor to securely manage data in an off-premise public cloud and keep image information safe? Be sure to ask about the following:

  • Data pruning: Is the system updated by automatically purging data that has exceeded its legal retention period based on configurable retention rules?
  • Scalability: Does the storage solution scale to accommodate growing image volumes?
  • Storing of non-DICOM data: Can it store and retrieve dozens of files formats such as JPEG, TIFF, DOC, etc.?
  • Audit trails: Are there detailed audit trails showing activity and interactions made with the image data?

There is a fine line between securing data and placing it behind hard-to-reach barriers that cripple productivity.

You also need to plan for the inevitable moment of "PACS is down but we need to keep going -- now what?" A cloud-based VNA consolidates access into one location, and audit trails provide clear accountability. In addition, by putting data in the cloud, business continuity is built in because if PACS goes down, there is a "PACS alternate" link on every workstation for radiology operations to continue uninterrupted.

Cloud VNA can also add to overall system interoperability by image-enabling electronic health record/electronic medical record (EHR/EMR) systems, producing one unified source for patient data. With this new and improved image management workflow, growing your network and offering new services such as image-enabling patient portals or offering a second opinion program become easily achievable opportunities.

But, beware the 'fake' cloud

When searching for a cloud VNA vendor, there are a few key items to keep in mind, so that you leverage modern technology and avoid outdated architectures that are simply "hosted" rather than built from the ground up as internet applications. The first is software as a service (SaaS). A true cloud vendor will offer a predictable fee structure, and the cost of business continuity, disaster recovery, system upgrades, maintenance, and storage should be built into the structure and managed by the vendor, as well as regular, stringent infrastructure and compliance audits.

A true cloud VNA will also eliminate the need for virtual private networks (VPNs) that could pose a security risk. Instead, images are shared through secure, encrypted web-based links or gateways that can send imaging directly from a PACS in high-volume scenarios like a trauma center. This adds extra security and protects against possible "sniffing" of data.

Finally, a cloud VNA should provide an application program interface (API)-first open platform leveraging modern web services that allow for flexible integrations with custom business processes and workflows, in-house apps, patient portals, EHR systems, and more.

The last word

Facilities must remain one step ahead of hackers and data breaches by rethinking their security strategy to solve cybersecurity problems. In fact, cybersecurity is no longer just a means to avoiding a PR disaster; rather, it's become a necessity for patient trust, as well as for driving innovation and revenue growth.

Embracing new technologies like a cloud VNA is one method of staying ahead of the game, and it is a necessary part of any patient-aware network that maintains key quality assurance practices in its hospitals and imaging facilities. Particularly, the convenience and affordability of the cloud offers a flexible and scalable solution that can grow with your network as it continues to expand.

But don't forget: Protect your facility and patients alike by searching for a vendor that is committed to offering infrastructure, privacy, and integration compliance, and one that provides you with complete confidence and trust.

Ed Marshall is chief product officer at Ambra Health. Before Ambra, Ed held roles as senior vice president and general manager of the Services Industry business unit at NetSuite, as well as vice president of sales and marketing for OpenAir, which was acquired by NetSuite. A seasoned speaker, Ed has presented at industry events such as the Gartner Symposium/ITxpo, the annual Technology Services World (TSW) conference, and the CFO Leadership Council.

The comments and observations expressed herein are those of the author and do not necessarily reflect the opinions of

Page 1 of 775
Next Page