The biggest trend in the healthcare industry in recent years has been the epic government-mandated move to electronic medical records (EMRs). This effort promises to bring long-term cost savings, improved efficiencies and productivity, and, ultimately, enhanced patient care. It’s truly a life-saving endeavor.
Unfortunately, the road to those benefits is long—and fraught with obstacles along the way. To start, the upfront cost to convert to EMRs is high. Analysts estimate transitioning costs at $20 million for an average hospital, and $10 million for small hospitals. Further, due to inadequate security measures, the industry as a whole is spending some $6 billion a year on digital data breaches, according to the Ponemon Institute's, “U.S. Cost of a Data Breach” Study in 2010. Ouch.
What’s more, each time a breach affects more than 500 individuals, the afflicted institution must alert prominent media. So not only do these organizations risk losing money, but also patient trust; while patients end up paying the price in higher insurance premiums and potential medical identity and financial theft. Ouch again.
Making Security a Top Priority
So yes, we can say that there are motivators in place to protect patient data. We’ve got the HITECH Act, which financially rewards or punishes according to how well patient privacy is protected. And of course there’s the HIPAA security rule. It states that organizations must guard electronic patient protected health information (EPHI) from accidental, unauthorized, or intentional theft, loss, or destruction by sources or individuals either inside or outside the organization. Non-compliance can and should lead to severe consequences, including loss of certifications to operate should an institution fail a security audit.
So why have so many healthcare organizations neglected to make data security a top priority? For many, funding is a big issue. Unfortunately, the incentive dollars from the HITECH Act didn’t necessarily translate into an increase in healthcare IT security budgets. The time is ripe to find alternative solutions.
The good news is a trend in the healthcare industry toward adopting virtualization both within the premised data center as well as with cloud services that offer resource hosting. This shift offers the obvious benefits of cost savings through consolidation, enhanced performance, and increased system availability. But there’s more. Digitizing all these records—charts, graphs, scans, tests, you name it—is one thing. Determining where they reside and how to secure them is another. And a virtual environment may be just the right place to keep this medical data safe and in compliance with HIPAA regulations.
Today’s market offers virtualization security solutions that have been purpose-built for the virtualized realm and can actually offer very high levels of automated compliance monitoring and enforcement for resources containing patient data. This is done through intelligent and highly dynamic security that keeps vigil of virtual machines with HIPAA regulated content ensuring that both access to and security configuration of those VMs stays compliant. Think of it as enforcement of a “gold” image for virtual machines containing patient data. For healthcare organizations, this means complete visibility to how healthcare information in the cloud (private or public) is being accessed and protected.
Saving More in the Cloud
As healthcare organizations increasingly adopt virtualization, they will also be weighing options for deploying it on premises (a private cloud) or going with a hosted service (public cloud) or even a mix of both (hybrid cloud). Public cloud services for instance can enable institutions to keep identifiable health information and critical applications on well-protected and backed-up servers at a fraction of the cost of doing this in house (the cost is spread out in monthly and annual contracts). And IaaS solutions assure that applications have the resources they need when they need them with on-demand compute.
The beauty of the cloud is that organizations don’t need to move their entire IT infrastructures, but can select which parts to outsource (a hybrid model). In all cases however, healthcare firms need to vet their virtualization security providers well so that protections to patient data are continuous and compliance to regulatory standards is assured and documented.
As always, the key to security success is remaining proactive and maintaining an above-average IT security posture. Even with limited funding, there are ways to invest in protection and detection. Healthcare institutions can stay on the safe side by selecting a cloud infrastructure that is inclusive of dynamic, virtualization aware security.