Medicine as a Service: Could this be the next cloud frontier? For most of the last decade there have been a lot of hospitals and medical services groups that have been migrating their workloads from physical servers to virtual servers and that are now expanding from just a virtual environment to include more cloud computing platforms and/or services.
Currently we are in the middle of the national digital medical records mandate, which calls for all health providers and hospitals to shift to electronic medical records as part of national healthcare reform, and that these records will to the cloud is inevitable. This inevitable move to the cloud does come with its own issues and problems. One of the biggest is the security and safety of the private data on individuals, and I believe this has the potential to be really huge. Imagine…if hackers can steal millions of credit card numbers and related personal information, what could the hackers potentially steal from a medical records cloud infrastructure?
I am not going to get too deep into the security side of this discussion at this point, but rather focus more on some possibilities that could be available to us in the future as our national healthcare incentive really begins to take shape.
Early in my virtualization career I designed and deployed a virtual environment for a hospital. One of the biggest pushes was the migration of the hospital’s integration engine from a mainframe LPARs to a virtual hypervisor. There were several different virtual machines that worked together as part of the integration and communication of all medical appliances and services in the hospital. Long story short, these virtual machines were the central communication and translation for all devices in the hospital to be able to communicate, with different systems where needed. This was my first vApp so to speak. It demonstrated the integration hospitals have to tie hardware and physical devices together to work in concert with each other. Now, with centralized medical records, the degree of automation inside a hospital has a great chance to really enhance our medical experience.
In my dream world of the future, I envision medicine to be extremely automated, with the ability to pull all the needed records and test results for the patient as they check into a hospital or doctor’s office. I could further imagine some kind of scanning or RFID system that will track as patients move and have the ability to have the medical records follow the patient around the hospital, as well as having some sort of ability to perform some kind of check on medicines or other such treatment as a secondary check to lower the chance of mistakes being made.
Unfortunately there is a huge downside to all this centralized management and control—security. For these medical cloud systems to tie in to the hospitals, APIs will be created and used. The integration engine systems of the hospital will need to be augmented to retrieve the information and distribute that information to the different systems and services in the hospital.
As The Health Care for America Act continues to be rolled out within the timeframe mandated, it is going to have major security holes and vulnerabilities that will almost certainly be compromised at some point. This breach could come from hackers penetrating the systems to get access, like the Eastern European hackers that broke into Utah’s state health records database and gained access to personal information on 780,000 patients, including some 280,000 social security numbers. The breaches do not even have to come from hacking the computer system themselves. The privacy of 29,000 patients in Indiana was breached when devices with sensitive data were lost or stolen.
In regard to cloud computing and general security of electronic medical records, the technology, the movement, and the practices are way ahead of the policy. Even beyond the obvious software-vulnerabilities perspective, the policies with regard to health privacy are woefully out-of-date. One specific example: HIPAA penalties focus on punishing disclosure and breaches of sensitive data collected by healthcare providers and insurers—but there are few protections against opportunistic data collection on health information from non-HIPAA sources. This is a pretty glaring hole, considering that data miners can essentially create a health profile of almost anyone by collecting information from online postings, or pharmacy purchases, or both.
As with any new technology the benefits can be enormous, but so are the risks, and never more so than when new technology gets rolled out. Should medical records and the private data that goes with it be grouped together, isolated, and be developed into its own cloud service say, Medicine as a Service? Should we do that to develop strict guidelines that can be applied to this service and related data to give us a specific area to isolate, secure, and regulate with compliance? I think we are going to be in for a big surprise unless the policies used to govern those systems are updated and enhanced for the 21st century.